[misc] fix relay exposed address test (#3931)

* Run registerdns before flushing

* Disable WINS, dynamic updates and registration

.github/ISSUE_TEMPLATE/bug-issue-report.md

@@ -37,17 +37,22 @@ If yes, which one?
 
 **Debug output**
 
-To help us resolve the problem, please attach the following debug output
+To help us resolve the problem, please attach the following anonymized status output
 
   netbird status -dA
 
-As well as the file created by
+Create and upload a debug bundle, and share the returned file key:
+
+  netbird debug for 1m -AS -U
+
+*Uploaded files are automatically deleted after 30 days.*
+
+
+Alternatively, create the file only and attach it here manually:
 
   netbird debug for 1m -AS
 
 
-We advise reviewing the anonymized output for any remaining personal information.
-
 **Screenshots**
 
 If applicable, add screenshots to help explain your problem.
@@ -57,8 +62,10 @@ If applicable, add screenshots to help explain your problem.
 Add any other context about the problem here.
 
 **Have you tried these troubleshooting steps?**
+- [ ] Reviewed [client troubleshooting](https://docs.netbird.io/how-to/troubleshooting-client) (if applicable)
 - [ ] Checked for newer NetBird versions
 - [ ] Searched for similar issues on GitHub (including closed ones)
 - [ ] Restarted the NetBird client
 - [ ] Disabled other VPN software
 - [ ] Checked firewall settings
+

.github/pull_request_template.md

@@ -13,3 +13,5 @@
 - [ ] It is a refactor
 - [ ] Created tests that fail without the change (if possible)
 - [ ] Extended the README / documentation, if necessary
+
+> By submitting this pull request, you confirm that you have read and agree to the terms of the [Contributor License Agreement](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT.md).

.github/workflows/golang-test-linux.yml

@@ -223,6 +223,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Install dependencies
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
+
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -269,6 +273,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Install dependencies
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
+
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV

.github/workflows/golangci-lint.yml

@@ -21,7 +21,6 @@ jobs:
         with:
           ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe
           skip: go.mod,go.sum
-          only_warn: 1
   golangci:
     strategy:
       fail-fast: false

.github/workflows/test-infrastructure-files.yml

@@ -172,13 +172,14 @@ jobs:
           grep "NETBIRD_STORE_ENGINE_MYSQL_DSN=$NETBIRD_STORE_ENGINE_MYSQL_DSN" docker-compose.yml
           grep NETBIRD_STORE_ENGINE_POSTGRES_DSN docker-compose.yml | egrep "$NETBIRD_STORE_ENGINE_POSTGRES_DSN"
           # check relay values
-          grep "NB_EXPOSED_ADDRESS=$CI_NETBIRD_DOMAIN:33445" docker-compose.yml
+          grep "NB_EXPOSED_ADDRESS=rels://$CI_NETBIRD_DOMAIN:33445" docker-compose.yml
           grep "NB_LISTEN_ADDRESS=:33445" docker-compose.yml
           grep '33445:33445' docker-compose.yml
           grep -A 10 'relay:' docker-compose.yml | egrep 'NB_AUTH_SECRET=.+$'
-          grep -A 7 Relay management.json | grep "rel://$CI_NETBIRD_DOMAIN:33445"
+          grep -A 7 Relay management.json | grep "rels://$CI_NETBIRD_DOMAIN:33445"
           grep -A 7 Relay management.json | egrep '"Secret": ".+"'
           grep DisablePromptLogin management.json | grep 'true'
+          grep LoginFlag management.json | grep 0
 
       - name: Install modules
         run: go mod tidy

client/anonymize/anonymize.go

@@ -69,6 +69,22 @@ func (a *Anonymizer) AnonymizeIP(ip netip.Addr) netip.Addr {
 	return a.ipAnonymizer[ip]
 }
 
+func (a *Anonymizer) AnonymizeUDPAddr(addr net.UDPAddr) net.UDPAddr {
+	// Convert IP to netip.Addr
+	ip, ok := netip.AddrFromSlice(addr.IP)
+	if !ok {
+		return addr
+	}
+
+	anonIP := a.AnonymizeIP(ip)
+
+	return net.UDPAddr{
+		IP:   anonIP.AsSlice(),
+		Port: addr.Port,
+		Zone: addr.Zone,
+	}
+}
+
 // isInAnonymizedRange checks if an IP is within the range of already assigned anonymized IPs
 func (a *Anonymizer) isInAnonymizedRange(ip netip.Addr) bool {
 	if ip.Is4() && ip.Compare(a.startAnonIPv4) >= 0 && ip.Compare(a.currentAnonIPv4) <= 0 {

client/cmd/debug.go

@@ -235,13 +235,6 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}
 
-	// Disable network map persistence after creating the debug bundle
-	if _, err := client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
-		Enabled: false,
-	}); err != nil {
-		return fmt.Errorf("failed to disable network map persistence: %v", status.Convert(err).Message())
-	}
-
 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
 			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())

client/cmd/login.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"runtime"
 	"strings"
 	"time"
 
@@ -100,7 +101,7 @@ var loginCmd = &cobra.Command{
 		loginRequest := proto.LoginRequest{
 			SetupKey:            providedSetupKey,
 			ManagementUrl:       managementURL,
-			IsLinuxDesktopClient: isLinuxRunningDesktop(),
+			IsUnixDesktopClient: isUnixRunningDesktop(),
 			Hostname:            hostName,
 			DnsLabels:           dnsLabelsReq,
 		}
@@ -195,7 +196,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *internal.C
 }
 
 func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *internal.Config) (*auth.TokenInfo, error) {
-	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isLinuxRunningDesktop())
+	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isUnixRunningDesktop())
 	if err != nil {
 		return nil, err
 	}
@@ -243,7 +244,10 @@ func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBro
 	}
 }
 
-// isLinuxRunningDesktop checks if a Linux OS is running desktop environment
+// isUnixRunningDesktop checks if a Linux OS is running desktop environment
-func isLinuxRunningDesktop() bool {
+func isUnixRunningDesktop() bool {
+	if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" {
+		return false
+	}
 	return os.Getenv("DESKTOP_SESSION") != "" || os.Getenv("XDG_CURRENT_DESKTOP") != ""
 }

client/cmd/root.go

@@ -39,10 +39,9 @@ const (
 	extraIFaceBlackListFlag  = "extra-iface-blacklist"
 	dnsRouteIntervalFlag     = "dns-router-interval"
 	systemInfoFlag           = "system-info"
-	blockLANAccessFlag      = "block-lan-access"
+	enableLazyConnectionFlag = "enable-lazy-connection"
 	uploadBundle             = "upload-bundle"
 	uploadBundleURL          = "upload-bundle-url"
-	defaultBundleURL        = "https://upload.debug.netbird.io" + types.GetURLPath
 )
 
 var (
@@ -78,9 +77,9 @@ var (
 	anonymizeFlag           bool
 	debugSystemInfoFlag     bool
 	dnsRouteInterval        time.Duration
-	blockLANAccess          bool
 	debugUploadBundle       bool
 	debugUploadBundleURL    string
+	lazyConnEnabled         bool
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird",
@@ -185,10 +184,11 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
 	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
+	upCmd.PersistentFlags().BoolVar(&lazyConnEnabled, enableLazyConnectionFlag, false, "[Experimental] Enable the lazy connection feature. If enabled, the client will establish connections on-demand.")
 
 	debugCmd.PersistentFlags().BoolVarP(&debugSystemInfoFlag, systemInfoFlag, "S", true, "Adds system information to the debug bundle")
 	debugCmd.PersistentFlags().BoolVarP(&debugUploadBundle, uploadBundle, "U", false, fmt.Sprintf("Uploads the debug bundle to a server from URL defined by %s", uploadBundleURL))
-	debugCmd.PersistentFlags().StringVar(&debugUploadBundleURL, uploadBundleURL, defaultBundleURL, "Service URL to get an URL to upload the debug bundle")
+	debugCmd.PersistentFlags().StringVar(&debugUploadBundleURL, uploadBundleURL, types.DefaultBundleURL, "Service URL to get an URL to upload the debug bundle")
 }
 
 // SetupCloseHandler handles SIGTERM signal and exits with success

client/cmd/service.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"context"
+	"runtime"
 	"sync"
 
 	"github.com/kardianos/service"
@@ -27,12 +28,19 @@ func newProgram(ctx context.Context, cancel context.CancelFunc) *program {
 }
 
 func newSVCConfig() *service.Config {
-	return &service.Config{
+	config := &service.Config{
 		Name:        serviceName,
 		DisplayName: "Netbird",
-		Description: "A WireGuard-based mesh network that connects your devices into a single private network.",
+		Description: "Netbird mesh network client",
 		Option:      make(service.KeyValue),
+		EnvVars:     make(map[string]string),
 	}
+
+	if runtime.GOOS == "linux" {
+		config.EnvVars["SYSTEMD_UNIT"] = serviceName
+	}
+
+	return config
 }
 
 func newSVC(prg *program, conf *service.Config) (service.Service, error) {

client/cmd/service_installer.go

@@ -39,7 +39,7 @@ var installCmd = &cobra.Command{
 			svcConfig.Arguments = append(svcConfig.Arguments, "--management-url", managementURL)
 		}
 
-		if logFile != "console" {
+		if logFile != "" {
 			svcConfig.Arguments = append(svcConfig.Arguments, "--log-file", logFile)
 		}
 

client/cmd/status.go

@@ -44,7 +44,7 @@ func init() {
 	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4")
 	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs, e.g., --filter-by-ips 100.64.0.100,100.64.0.200")
 	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
-	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(connected|disconnected), e.g., --filter-by-status connected")
+	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
 }
 
 func statusFunc(cmd *cobra.Command, args []string) error {
@@ -127,12 +127,12 @@ func getStatus(ctx context.Context) (*proto.StatusResponse, error) {
 
 func parseFilters() error {
 	switch strings.ToLower(statusFilter) {
-	case "", "disconnected", "connected":
+	case "", "idle", "connecting", "connected":
 		if strings.ToLower(statusFilter) != "" {
 			enableDetailFlagWhenFilterFlag()
 		}
 	default:
-		return fmt.Errorf("wrong status filter, should be one of connected|disconnected, got: %s", statusFilter)
+		return fmt.Errorf("wrong status filter, should be one of connected|connecting|idle, got: %s", statusFilter)
 	}
 
 	if len(ipsFilter) > 0 {

client/cmd/system.go

@@ -6,6 +6,8 @@ const (
 	disableServerRoutesFlag = "disable-server-routes"
 	disableDNSFlag          = "disable-dns"
 	disableFirewallFlag     = "disable-firewall"
+	blockLANAccessFlag      = "block-lan-access"
+	blockInboundFlag        = "block-inbound"
 )
 
 var (
@@ -13,6 +15,8 @@ var (
 	disableServerRoutes bool
 	disableDNS          bool
 	disableFirewall     bool
+	blockLANAccess      bool
+	blockInbound        bool
 )
 
 func init() {
@@ -28,4 +32,11 @@ func init() {
 
 	upCmd.PersistentFlags().BoolVar(&disableFirewall, disableFirewallFlag, false,
 		"Disable firewall configuration. If enabled, the client won't modify firewall rules.")
+
+	upCmd.PersistentFlags().BoolVar(&blockLANAccess, blockLANAccessFlag, false,
+		"Block access to local networks (LAN) when using this peer as a router or exit node")
+
+	upCmd.PersistentFlags().BoolVar(&blockInbound, blockInboundFlag, false,
+		"Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks.\n"+
+		"This overrides any policies received from the management service.")
 }

client/cmd/trace.go

@@ -17,7 +17,7 @@ var traceCmd = &cobra.Command{
 	Example: `
   netbird debug trace in 192.168.1.10 10.10.0.2 -p tcp --sport 12345 --dport 443 --syn --ack
   netbird debug trace out 10.10.0.1 8.8.8.8 -p udp  --dport 53
-  netbird debug trace in 10.10.0.2 10.10.0.1 -p icmp --type 8 --code 0
+  netbird debug trace in 10.10.0.2 10.10.0.1 -p icmp --icmp-type 8 --icmp-code 0
   netbird debug trace in 100.64.1.1 self -p tcp --dport 80`,
 	Args: cobra.ExactArgs(3),
 	RunE: tracePacket,

client/cmd/up.go

@@ -55,12 +55,11 @@ func init() {
 	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "Wireguard interface name")
 	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "Wireguard interface listening port")
 	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", networkMonitor,
-		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux. `+
+		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux and FreeBSD. `+
 			`E.g. --network-monitor=false to disable or --network-monitor=true to enable.`,
 	)
 	upCmd.PersistentFlags().StringSliceVar(&extraIFaceBlackList, extraIFaceBlackListFlag, nil, "Extra list of default interfaces to ignore for listening")
 	upCmd.PersistentFlags().DurationVar(&dnsRouteInterval, dnsRouteIntervalFlag, time.Minute, "DNS route update interval")
-	upCmd.PersistentFlags().BoolVar(&blockLANAccess, blockLANAccessFlag, false, "Block access to local networks (LAN) when using this peer as a router or exit node")
 
 	upCmd.PersistentFlags().StringSliceVar(&dnsLabels, dnsLabelsFlag, nil,
 		`Sets DNS labels`+
@@ -119,79 +118,9 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	ic := internal.ConfigInput{
+	ic, err := setupConfig(customDNSAddressConverted, cmd)
-		ManagementURL:       managementURL,
+	if err != nil {
-		AdminURL:            adminURL,
+		return fmt.Errorf("setup config: %v", err)
-		ConfigPath:          configPath,
-		NATExternalIPs:      natExternalIPs,
-		CustomDNSAddress:    customDNSAddressConverted,
-		ExtraIFaceBlackList: extraIFaceBlackList,
-		DNSLabels:           dnsLabelsValidated,
-	}
-
-	if cmd.Flag(enableRosenpassFlag).Changed {
-		ic.RosenpassEnabled = &rosenpassEnabled
-	}
-
-	if cmd.Flag(rosenpassPermissiveFlag).Changed {
-		ic.RosenpassPermissive = &rosenpassPermissive
-	}
-
-	if cmd.Flag(serverSSHAllowedFlag).Changed {
-		ic.ServerSSHAllowed = &serverSSHAllowed
-	}
-
-	if cmd.Flag(interfaceNameFlag).Changed {
-		if err := parseInterfaceName(interfaceName); err != nil {
-			return err
-		}
-		ic.InterfaceName = &interfaceName
-	}
-
-	if cmd.Flag(wireguardPortFlag).Changed {
-		p := int(wireguardPort)
-		ic.WireguardPort = &p
-	}
-
-	if cmd.Flag(networkMonitorFlag).Changed {
-		ic.NetworkMonitor = &networkMonitor
-	}
-
-	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
-		ic.PreSharedKey = &preSharedKey
-	}
-
-	if cmd.Flag(disableAutoConnectFlag).Changed {
-		ic.DisableAutoConnect = &autoConnectDisabled
-
-		if autoConnectDisabled {
-			cmd.Println("Autoconnect has been disabled. The client won't connect automatically when the service starts.")
-		}
-
-		if !autoConnectDisabled {
-			cmd.Println("Autoconnect has been enabled. The client will connect automatically when the service starts.")
-		}
-	}
-
-	if cmd.Flag(dnsRouteIntervalFlag).Changed {
-		ic.DNSRouteInterval = &dnsRouteInterval
-	}
-
-	if cmd.Flag(disableClientRoutesFlag).Changed {
-		ic.DisableClientRoutes = &disableClientRoutes
-	}
-	if cmd.Flag(disableServerRoutesFlag).Changed {
-		ic.DisableServerRoutes = &disableServerRoutes
-	}
-	if cmd.Flag(disableDNSFlag).Changed {
-		ic.DisableDNS = &disableDNS
-	}
-	if cmd.Flag(disableFirewallFlag).Changed {
-		ic.DisableFirewall = &disableFirewall
-	}
-
-	if cmd.Flag(blockLANAccessFlag).Changed {
-		ic.BlockLANAccess = &blockLANAccess
 	}
 
 	providedSetupKey, err := getSetupKey()
@@ -199,7 +128,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	config, err := internal.UpdateOrCreateConfig(ic)
+	config, err := internal.UpdateOrCreateConfig(*ic)
 	if err != nil {
 		return fmt.Errorf("get config file: %v", err)
 	}
@@ -258,9 +187,141 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 
 	providedSetupKey, err := getSetupKey()
 	if err != nil {
-		return err
+		return fmt.Errorf("get setup key: %v", err)
 	}
 
+	loginRequest, err := setupLoginRequest(providedSetupKey, customDNSAddressConverted, cmd)
+	if err != nil {
+		return fmt.Errorf("setup login request: %v", err)
+	}
+
+	var loginErr error
+	var loginResp *proto.LoginResponse
+
+	err = WithBackOff(func() error {
+		var backOffErr error
+		loginResp, backOffErr = client.Login(ctx, loginRequest)
+		if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
+			s.Code() == codes.PermissionDenied ||
+			s.Code() == codes.NotFound ||
+			s.Code() == codes.Unimplemented) {
+			loginErr = backOffErr
+			return nil
+		}
+		return backOffErr
+	})
+	if err != nil {
+		return fmt.Errorf("login backoff cycle failed: %v", err)
+	}
+
+	if loginErr != nil {
+		return fmt.Errorf("login failed: %v", loginErr)
+	}
+
+	if loginResp.NeedsSSOLogin {
+
+		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
+
+		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
+		if err != nil {
+			return fmt.Errorf("waiting sso login failed with: %v", err)
+		}
+	}
+
+	if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
+		return fmt.Errorf("call service up method: %v", err)
+	}
+	cmd.Println("Connected")
+	return nil
+}
+
+func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command) (*internal.ConfigInput, error) {
+	ic := internal.ConfigInput{
+		ManagementURL:       managementURL,
+		AdminURL:            adminURL,
+		ConfigPath:          configPath,
+		NATExternalIPs:      natExternalIPs,
+		CustomDNSAddress:    customDNSAddressConverted,
+		ExtraIFaceBlackList: extraIFaceBlackList,
+		DNSLabels:           dnsLabelsValidated,
+	}
+
+	if cmd.Flag(enableRosenpassFlag).Changed {
+		ic.RosenpassEnabled = &rosenpassEnabled
+	}
+
+	if cmd.Flag(rosenpassPermissiveFlag).Changed {
+		ic.RosenpassPermissive = &rosenpassPermissive
+	}
+
+	if cmd.Flag(serverSSHAllowedFlag).Changed {
+		ic.ServerSSHAllowed = &serverSSHAllowed
+	}
+
+	if cmd.Flag(interfaceNameFlag).Changed {
+		if err := parseInterfaceName(interfaceName); err != nil {
+			return nil, err
+		}
+		ic.InterfaceName = &interfaceName
+	}
+
+	if cmd.Flag(wireguardPortFlag).Changed {
+		p := int(wireguardPort)
+		ic.WireguardPort = &p
+	}
+
+	if cmd.Flag(networkMonitorFlag).Changed {
+		ic.NetworkMonitor = &networkMonitor
+	}
+
+	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
+		ic.PreSharedKey = &preSharedKey
+	}
+
+	if cmd.Flag(disableAutoConnectFlag).Changed {
+		ic.DisableAutoConnect = &autoConnectDisabled
+
+		if autoConnectDisabled {
+			cmd.Println("Autoconnect has been disabled. The client won't connect automatically when the service starts.")
+		}
+
+		if !autoConnectDisabled {
+			cmd.Println("Autoconnect has been enabled. The client will connect automatically when the service starts.")
+		}
+	}
+
+	if cmd.Flag(dnsRouteIntervalFlag).Changed {
+		ic.DNSRouteInterval = &dnsRouteInterval
+	}
+
+	if cmd.Flag(disableClientRoutesFlag).Changed {
+		ic.DisableClientRoutes = &disableClientRoutes
+	}
+	if cmd.Flag(disableServerRoutesFlag).Changed {
+		ic.DisableServerRoutes = &disableServerRoutes
+	}
+	if cmd.Flag(disableDNSFlag).Changed {
+		ic.DisableDNS = &disableDNS
+	}
+	if cmd.Flag(disableFirewallFlag).Changed {
+		ic.DisableFirewall = &disableFirewall
+	}
+
+	if cmd.Flag(blockLANAccessFlag).Changed {
+		ic.BlockLANAccess = &blockLANAccess
+	}
+
+	if cmd.Flag(blockInboundFlag).Changed {
+		ic.BlockInbound = &blockInbound
+	}
+
+	if cmd.Flag(enableLazyConnectionFlag).Changed {
+		ic.LazyConnectionEnabled = &lazyConnEnabled
+	}
+	return &ic, nil
+}
+
+func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte, cmd *cobra.Command) (*proto.LoginRequest, error) {
 	loginRequest := proto.LoginRequest{
 		SetupKey:            providedSetupKey,
 		ManagementUrl:       managementURL,
@@ -268,7 +329,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		NatExternalIPs:      natExternalIPs,
 		CleanNATExternalIPs: natExternalIPs != nil && len(natExternalIPs) == 0,
 		CustomDNSAddress:    customDNSAddressConverted,
-		IsLinuxDesktopClient: isLinuxRunningDesktop(),
+		IsUnixDesktopClient: isUnixRunningDesktop(),
 		Hostname:            hostName,
 		ExtraIFaceBlacklist: extraIFaceBlackList,
 		DnsLabels:           dnsLabels,
@@ -297,7 +358,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
-			return err
+			return nil, err
 		}
 		loginRequest.InterfaceName = &interfaceName
 	}
@@ -332,45 +393,14 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		loginRequest.BlockLanAccess = &blockLANAccess
 	}
 
-	var loginErr error
+	if cmd.Flag(blockInboundFlag).Changed {
-
+		loginRequest.BlockInbound = &blockInbound
-	var loginResp *proto.LoginResponse
-
-	err = WithBackOff(func() error {
-		var backOffErr error
-		loginResp, backOffErr = client.Login(ctx, &loginRequest)
-		if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
-			s.Code() == codes.PermissionDenied ||
-			s.Code() == codes.NotFound ||
-			s.Code() == codes.Unimplemented) {
-			loginErr = backOffErr
-			return nil
-		}
-		return backOffErr
-	})
-	if err != nil {
-		return fmt.Errorf("login backoff cycle failed: %v", err)
 	}
 
-	if loginErr != nil {
+	if cmd.Flag(enableLazyConnectionFlag).Changed {
-		return fmt.Errorf("login failed: %v", loginErr)
+		loginRequest.LazyConnectionEnabled = &lazyConnEnabled
 	}
-
+	return &loginRequest, nil
-	if loginResp.NeedsSSOLogin {
-
-		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
-
-		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
-		if err != nil {
-			return fmt.Errorf("waiting sso login failed with: %v", err)
-		}
-	}
-
-	if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
-		return fmt.Errorf("call service up method: %v", err)
-	}
-	cmd.Println("Connected")
-	return nil
 }
 
 func validateNATExternalIPs(list []string) error {

client/firewall/iptables/manager_linux.go

@@ -147,6 +147,10 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }
 
+func (m *Manager) IsStateful() bool {
+	return true
+}
+
 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -198,7 +202,7 @@ func (m *Manager) AllowNetbird() error {
 	_, err := m.AddPeerFiltering(
 		nil,
 		net.IP{0, 0, 0, 0},
-		"all",
+		firewall.ProtocolALL,
 		nil,
 		nil,
 		firewall.ActionAccept,
@@ -219,10 +223,16 @@ func (m *Manager) SetLogLevel(log.Level) {
 }
 
 func (m *Manager) EnableRouting() error {
+	if err := m.router.ipFwdState.RequestForwarding(); err != nil {
+		return fmt.Errorf("enable IP forwarding: %w", err)
+	}
 	return nil
 }
 
 func (m *Manager) DisableRouting() error {
+	if err := m.router.ipFwdState.ReleaseForwarding(); err != nil {
+		return fmt.Errorf("disable IP forwarding: %w", err)
+	}
 	return nil
 }
 

client/firewall/iptables/manager_linux_test.go

@@ -2,7 +2,7 @@ package iptables
 
 import (
 	"fmt"
-	"net"
+	"net/netip"
 	"testing"
 	"time"
 
@@ -19,11 +19,8 @@ var ifaceMock = &iFaceMock{
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
-			IP: net.ParseIP("10.20.0.1"),
+			IP:      netip.MustParseAddr("10.20.0.1"),
-			Network: &net.IPNet{
+			Network: netip.MustParsePrefix("10.20.0.0/24"),
-				IP:   net.ParseIP("10.20.0.0"),
-				Mask: net.IPv4Mask(255, 255, 255, 0),
-			},
 		}
 	},
 }
@@ -70,12 +67,12 @@ func TestIptablesManager(t *testing.T) {
 
 	var rule2 []fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
-		ip := net.ParseIP("10.20.0.3")
+		ip := netip.MustParseAddr("10.20.0.3")
 		port := &fw.Port{
 			IsRange: true,
 			Values:  []uint16{8043, 8046},
 		}
-		rule2, err = manager.AddPeerFiltering(nil, ip, "tcp", port, nil, fw.ActionAccept, "")
+		rule2, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", port, nil, fw.ActionAccept, "")
 		require.NoError(t, err, "failed to add rule")
 
 		for _, r := range rule2 {
@@ -95,9 +92,9 @@ func TestIptablesManager(t *testing.T) {
 
 	t.Run("reset check", func(t *testing.T) {
 		// add second rule
-		ip := net.ParseIP("10.20.0.3")
+		ip := netip.MustParseAddr("10.20.0.3")
 		port := &fw.Port{Values: []uint16{5353}}
-		_, err = manager.AddPeerFiltering(nil, ip, "udp", nil, port, fw.ActionAccept, "")
+		_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "udp", nil, port, fw.ActionAccept, "")
 		require.NoError(t, err, "failed to add rule")
 
 		err = manager.Close(nil)
@@ -119,11 +116,8 @@ func TestIptablesManagerIPSet(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP: net.ParseIP("10.20.0.1"),
+				IP:      netip.MustParseAddr("10.20.0.1"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("10.20.0.0/24"),
-					IP:   net.ParseIP("10.20.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
 			}
 		},
 	}
@@ -144,11 +138,11 @@ func TestIptablesManagerIPSet(t *testing.T) {
 
 	var rule2 []fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
-		ip := net.ParseIP("10.20.0.3")
+		ip := netip.MustParseAddr("10.20.0.3")
 		port := &fw.Port{
 			Values: []uint16{443},
 		}
-		rule2, err = manager.AddPeerFiltering(nil, ip, "tcp", port, nil, fw.ActionAccept, "default")
+		rule2, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", port, nil, fw.ActionAccept, "default")
 		for _, r := range rule2 {
 			require.NoError(t, err, "failed to add rule")
 			require.Equal(t, r.(*Rule).ipsetName, "default-sport", "ipset name must be set")
@@ -186,11 +180,8 @@ func TestIptablesCreatePerformance(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP: net.ParseIP("10.20.0.1"),
+				IP:      netip.MustParseAddr("10.20.0.1"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("10.20.0.0/24"),
-					IP:   net.ParseIP("10.20.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
 			}
 		},
 	}
@@ -212,11 +203,11 @@ func TestIptablesCreatePerformance(t *testing.T) {
 
 			require.NoError(t, err)
 
-			ip := net.ParseIP("10.20.0.100")
+			ip := netip.MustParseAddr("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip, "tcp", nil, port, fw.ActionAccept, "")
+				_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "")
 
 				require.NoError(t, err, "failed to add rule")
 			}

client/firewall/iptables/router_linux.go

@@ -248,10 +248,6 @@ func (r *router) deleteIpSet(setName string) error {
 
 // AddNatRule inserts an iptables rule pair into the nat chain
 func (r *router) AddNatRule(pair firewall.RouterPair) error {
-	if err := r.ipFwdState.RequestForwarding(); err != nil {
-		return err
-	}
-
 	if r.legacyManagement {
 		log.Warnf("This peer is connected to a NetBird Management service with an older version. Allowing all traffic for %s", pair.Destination)
 		if err := r.addLegacyRouteRule(pair); err != nil {
@@ -278,10 +274,6 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 
 // RemoveNatRule removes an iptables rule pair from forwarding and nat chains
 func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
-	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
-		log.Errorf("%v", err)
-	}
-
 	if pair.Masquerade {
 		if err := r.removeNatRule(pair); err != nil {
 			return fmt.Errorf("remove nat rule: %w", err)

client/firewall/manager/firewall.go

@@ -116,6 +116,8 @@ type Manager interface {
 	// IsServerRouteSupported returns true if the firewall supports server side routing operations
 	IsServerRouteSupported() bool
 
+	IsStateful() bool
+
 	AddRouteFiltering(
 		id []byte,
 		sources []netip.Prefix,

client/firewall/nftables/manager_linux.go

@@ -170,6 +170,10 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }
 
+func (m *Manager) IsStateful() bool {
+	return true
+}
+
 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -324,10 +328,16 @@ func (m *Manager) SetLogLevel(log.Level) {
 }
 
 func (m *Manager) EnableRouting() error {
+	if err := m.router.ipFwdState.RequestForwarding(); err != nil {
+		return fmt.Errorf("enable IP forwarding: %w", err)
+	}
 	return nil
 }
 
 func (m *Manager) DisableRouting() error {
+	if err := m.router.ipFwdState.ReleaseForwarding(); err != nil {
+		return fmt.Errorf("disable IP forwarding: %w", err)
+	}
 	return nil
 }
 

client/firewall/nftables/manager_linux_test.go

@@ -3,7 +3,6 @@ package nftables
 import (
 	"bytes"
 	"fmt"
-	"net"
 	"net/netip"
 	"os/exec"
 	"testing"
@@ -25,11 +24,8 @@ var ifaceMock = &iFaceMock{
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
-			IP: net.ParseIP("100.96.0.1"),
+			IP:      netip.MustParseAddr("100.96.0.1"),
-			Network: &net.IPNet{
+			Network: netip.MustParsePrefix("100.96.0.0/16"),
-				IP:   net.ParseIP("100.96.0.0"),
-				Mask: net.IPv4Mask(255, 255, 255, 0),
-			},
 		}
 	},
 }
@@ -70,11 +66,11 @@ func TestNftablesManager(t *testing.T) {
 		time.Sleep(time.Second)
 	}()
 
-	ip := net.ParseIP("100.96.0.1")
+	ip := netip.MustParseAddr("100.96.0.1").Unmap()
 
 	testClient := &nftables.Conn{}
 
-	rule, err := manager.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{53}}, fw.ActionDrop, "")
+	rule, err := manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{53}}, fw.ActionDrop, "")
 	require.NoError(t, err, "failed to add rule")
 
 	err = manager.Flush()
@@ -109,8 +105,6 @@ func TestNftablesManager(t *testing.T) {
 	}
 	compareExprsIgnoringCounters(t, rules[0].Exprs, expectedExprs1)
 
-	ipToAdd, _ := netip.AddrFromSlice(ip)
-	add := ipToAdd.Unmap()
 	expectedExprs2 := []expr.Any{
 		&expr.Payload{
 			DestRegister: 1,
@@ -132,7 +126,7 @@ func TestNftablesManager(t *testing.T) {
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
 			Register: 1,
-			Data:     add.AsSlice(),
+			Data:     ip.AsSlice(),
 		},
 		&expr.Payload{
 			DestRegister: 1,
@@ -173,11 +167,8 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP: net.ParseIP("100.96.0.1"),
+				IP:      netip.MustParseAddr("100.96.0.1"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("100.96.0.0/16"),
-					IP:   net.ParseIP("100.96.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
 			}
 		},
 	}
@@ -197,11 +188,11 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 				time.Sleep(time.Second)
 			}()
 
-			ip := net.ParseIP("10.20.0.100")
+			ip := netip.MustParseAddr("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip, "tcp", nil, port, fw.ActionAccept, "")
+				_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "")
 				require.NoError(t, err, "failed to add rule")
 
 				if i%100 == 0 {
@@ -282,8 +273,8 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 		verifyIptablesOutput(t, stdout, stderr)
 	})
 
-	ip := net.ParseIP("100.96.0.1")
+	ip := netip.MustParseAddr("100.96.0.1")
-	_, err = manager.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
 	require.NoError(t, err, "failed to add peer filtering rule")
 
 	_, err = manager.AddRouteFiltering(

client/firewall/nftables/router_linux.go

@@ -573,10 +573,6 @@ func (r *router) deleteNftRule(rule *nftables.Rule, ruleKey string) error {
 
 // AddNatRule appends a nftables rule pair to the nat chain
 func (r *router) AddNatRule(pair firewall.RouterPair) error {
-	if err := r.ipFwdState.RequestForwarding(); err != nil {
-		return err
-	}
-
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
@@ -1006,10 +1002,6 @@ func (r *router) removeAcceptForwardRulesIptables(ipt *iptables.IPTables) error
 
 // RemoveNatRule removes the prerouting mark rule
 func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
-	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
-		log.Errorf("%v", err)
-	}
-
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}

client/firewall/uspfilter/forwarder/forwarder.go

@@ -41,7 +41,7 @@ type Forwarder struct {
 	udpForwarder *udpForwarder
 	ctx          context.Context
 	cancel       context.CancelFunc
-	ip           net.IP
+	ip           tcpip.Address
 	netstack     bool
 }
 
@@ -71,12 +71,11 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		return nil, fmt.Errorf("failed to create NIC: %v", err)
 	}
 
-	ones, _ := iface.Address().Network.Mask.Size()
 	protoAddr := tcpip.ProtocolAddress{
 		Protocol: ipv4.ProtocolNumber,
 		AddressWithPrefix: tcpip.AddressWithPrefix{
-			Address:   tcpip.AddrFromSlice(iface.Address().IP.To4()),
+			Address:   tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
-			PrefixLen: ones,
+			PrefixLen: iface.Address().Network.Bits(),
 		},
 	}
 
@@ -116,7 +115,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		ctx:          ctx,
 		cancel:       cancel,
 		netstack:     netstack,
-		ip:           iface.Address().IP,
+		ip:           tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
 	}
 
 	receiveWindow := defaultReceiveWindow
@@ -167,7 +166,7 @@ func (f *Forwarder) Stop() {
 }
 
 func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
-	if f.netstack && f.ip.Equal(addr.AsSlice()) {
+	if f.netstack && f.ip.Equal(addr) {
 		return net.IPv4(127, 0, 0, 1)
 	}
 	return addr.AsSlice()
@@ -179,7 +178,6 @@ func (f *Forwarder) RegisterRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uin
 }
 
 func (f *Forwarder) getRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) ([]byte, bool) {
-
 	if value, ok := f.ruleIdMap.Load(buildKey(srcIP, dstIP, srcPort, dstPort)); ok {
 		return value.([]byte), true
 	} else if value, ok := f.ruleIdMap.Load(buildKey(dstIP, srcIP, dstPort, srcPort)); ok {

client/firewall/uspfilter/forwarder/tcp.go

@@ -111,12 +111,12 @@ func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn
 
 	if errInToOut != nil {
 		if !isClosedError(errInToOut) {
-			f.logger.Error("proxyTCP: copy error (in -> out): %v", errInToOut)
+			f.logger.Error("proxyTCP: copy error (in -> out) for %s: %v", epID(id), errInToOut)
 		}
 	}
 	if errOutToIn != nil {
 		if !isClosedError(errOutToIn) {
-			f.logger.Error("proxyTCP: copy error (out -> in): %v", errOutToIn)
+			f.logger.Error("proxyTCP: copy error (out -> in) for %s: %v", epID(id), errOutToIn)
 		}
 	}
 

client/firewall/uspfilter/forwarder/udp.go

@@ -250,10 +250,10 @@ func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack
 	wg.Wait()
 
 	if outboundErr != nil && !isClosedError(outboundErr) {
-		f.logger.Error("proxyUDP: copy error (outbound->inbound): %v", outboundErr)
+		f.logger.Error("proxyUDP: copy error (outbound->inbound) for %s: %v", epID(id), outboundErr)
 	}
 	if inboundErr != nil && !isClosedError(inboundErr) {
-		f.logger.Error("proxyUDP: copy error (inbound->outbound): %v", inboundErr)
+		f.logger.Error("proxyUDP: copy error (inbound->outbound) for %s: %v", epID(id), inboundErr)
 	}
 
 	var rxPackets, txPackets uint64

client/firewall/uspfilter/localip.go

@@ -45,8 +45,12 @@ func (m *localIPManager) setBitmapBit(ip net.IP) {
 	m.ipv4Bitmap[high].bitmap[index] |= 1 << bit
 }
 
-func (m *localIPManager) setBitInBitmap(ip net.IP, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
+func (m *localIPManager) setBitInBitmap(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
-	if ipv4 := ip.To4(); ipv4 != nil {
+	if !ip.Is4() {
+		return
+	}
+	ipv4 := ip.AsSlice()
+
 	high := uint16(ipv4[0])
 	low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
 
@@ -58,11 +62,9 @@ func (m *localIPManager) setBitInBitmap(ip net.IP, bitmap *[256]*ipv4LowBitmap,
 	bit := low % 32
 	bitmap[high].bitmap[index] |= 1 << bit
 
-		ipStr := ipv4.String()
+	if _, exists := ipv4Set[ip]; !exists {
-		if _, exists := ipv4Set[ipStr]; !exists {
+		ipv4Set[ip] = struct{}{}
-			ipv4Set[ipStr] = struct{}{}
+		*ipv4Addresses = append(*ipv4Addresses, ip)
-			*ipv4Addresses = append(*ipv4Addresses, ipStr)
-		}
 	}
 }
 
@@ -79,12 +81,12 @@ func (m *localIPManager) checkBitmapBit(ip []byte) bool {
 	return (m.ipv4Bitmap[high].bitmap[index] & (1 << bit)) != 0
 }
 
-func (m *localIPManager) processIP(ip net.IP, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) error {
+func (m *localIPManager) processIP(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) error {
 	m.setBitInBitmap(ip, bitmap, ipv4Set, ipv4Addresses)
 	return nil
 }
 
-func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
+func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
 	addrs, err := iface.Addrs()
 	if err != nil {
 		log.Debugf("get addresses for interface %s failed: %v", iface.Name, err)
@@ -102,7 +104,13 @@ func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv
 			continue
 		}
 
-		if err := m.processIP(ip, bitmap, ipv4Set, ipv4Addresses); err != nil {
+		addr, ok := netip.AddrFromSlice(ip)
+		if !ok {
+			log.Warnf("invalid IP address %s in interface %s", ip.String(), iface.Name)
+			continue
+		}
+
+		if err := m.processIP(addr.Unmap(), bitmap, ipv4Set, ipv4Addresses); err != nil {
 			log.Debugf("process IP failed: %v", err)
 		}
 	}
@@ -116,8 +124,8 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	}()
 
 	var newIPv4Bitmap [256]*ipv4LowBitmap
-	ipv4Set := make(map[string]struct{})
+	ipv4Set := make(map[netip.Addr]struct{})
-	var ipv4Addresses []string
+	var ipv4Addresses []netip.Addr
 
 	// 127.0.0.0/8
 	newIPv4Bitmap[127] = &ipv4LowBitmap{}

client/firewall/uspfilter/localip_test.go

@@ -20,11 +20,8 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Localhost range",
 			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
+				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("192.168.1.0/24"),
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
 			},
 			testIP:   netip.MustParseAddr("127.0.0.2"),
 			expected: true,
@@ -32,11 +29,8 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Localhost standard address",
 			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
+				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("192.168.1.0/24"),
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
 			},
 			testIP:   netip.MustParseAddr("127.0.0.1"),
 			expected: true,
@@ -44,11 +38,8 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Localhost range edge",
 			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
+				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("192.168.1.0/24"),
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
 			},
 			testIP:   netip.MustParseAddr("127.255.255.255"),
 			expected: true,
@@ -56,11 +47,8 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Local IP matches",
 			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
+				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("192.168.1.0/24"),
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
 			},
 			testIP:   netip.MustParseAddr("192.168.1.1"),
 			expected: true,
@@ -68,11 +56,8 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Local IP doesn't match",
 			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
+				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("192.168.1.0/24"),
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
 			},
 			testIP:   netip.MustParseAddr("192.168.1.2"),
 			expected: false,
@@ -80,11 +65,8 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Local IP doesn't match - addresses 32 apart",
 			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
+				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("192.168.1.0/24"),
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
 			},
 			testIP:   netip.MustParseAddr("192.168.1.33"),
 			expected: false,
@@ -92,11 +74,8 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "IPv6 address",
 			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("fe80::1"),
+				IP:      netip.MustParseAddr("fe80::1"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("192.168.1.0/24"),
-					IP:   net.ParseIP("fe80::"),
-					Mask: net.CIDRMask(64, 128),
-				},
 			},
 			testIP:   netip.MustParseAddr("fe80::1"),
 			expected: false,

client/firewall/uspfilter/tracer_test.go

@@ -38,11 +38,8 @@ func TestTracePacket(t *testing.T) {
 			SetFilterFunc: func(device.PacketFilter) error { return nil },
 			AddressFunc: func() wgaddr.Address {
 				return wgaddr.Address{
-					IP: net.ParseIP("100.10.0.100"),
+					IP:      netip.MustParseAddr("100.10.0.100"),
-					Network: &net.IPNet{
+					Network: netip.MustParsePrefix("100.10.0.0/16"),
-						IP:   net.ParseIP("100.10.0.0"),
-						Mask: net.CIDRMask(16, 32),
-					},
 				}
 			},
 		}

client/firewall/uspfilter/uspfilter.go

@@ -39,8 +39,12 @@ const (
 	// EnvForceUserspaceRouter forces userspace routing even if native routing is available.
 	EnvForceUserspaceRouter = "NB_FORCE_USERSPACE_ROUTER"
 
-	// EnvEnableNetstackLocalForwarding enables forwarding of local traffic to the native stack when running netstack
+	// EnvEnableLocalForwarding enables forwarding of local traffic to the native stack for internal (non-NetBird) interfaces.
-	// Leaving this on by default introduces a security risk as sockets on listening on localhost only will be accessible
+	// Default off as it might be security risk because sockets listening on localhost only will become accessible.
+	EnvEnableLocalForwarding = "NB_ENABLE_LOCAL_FORWARDING"
+
+	// EnvEnableNetstackLocalForwarding is an alias for EnvEnableLocalForwarding.
+	// In netstack mode, it enables forwarding of local traffic to the native stack for all interfaces.
 	EnvEnableNetstackLocalForwarding = "NB_ENABLE_NETSTACK_LOCAL_FORWARDING"
 )
 
@@ -71,7 +75,6 @@ type Manager struct {
 	// incomingRules is used for filtering and hooks
 	incomingRules  map[netip.Addr]RuleSet
 	routeRules     RouteRules
-	wgNetwork      *net.IPNet
 	decoders       sync.Pool
 	wgIface        common.IFaceMapper
 	nativeFirewall firewall.Manager
@@ -148,6 +151,11 @@ func parseCreateEnv() (bool, bool) {
 		if err != nil {
 			log.Warnf("failed to parse %s: %v", EnvEnableNetstackLocalForwarding, err)
 		}
+	} else if val := os.Getenv(EnvEnableLocalForwarding); val != "" {
+		enableLocalForwarding, err = strconv.ParseBool(val)
+		if err != nil {
+			log.Warnf("failed to parse %s: %v", EnvEnableLocalForwarding, err)
+		}
 	}
 
 	return disableConntrack, enableLocalForwarding
@@ -269,7 +277,7 @@ func (m *Manager) determineRouting() error {
 
 		log.Info("userspace routing is forced")
 
-	case !m.netstack && m.nativeFirewall != nil && m.nativeFirewall.IsServerRouteSupported():
+	case !m.netstack && m.nativeFirewall != nil:
 		// if the OS supports routing natively, then we don't need to filter/route ourselves
 		// netstack mode won't support native routing as there is no interface
 
@@ -326,6 +334,10 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }
 
+func (m *Manager) IsStateful() bool {
+	return m.stateful
+}
+
 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	if m.nativeRouter.Load() && m.nativeFirewall != nil {
 		return m.nativeFirewall.AddNatRule(pair)
@@ -606,9 +618,8 @@ func (m *Manager) processOutgoingHooks(packetData []byte, size int) bool {
 		return true
 	}
 
-	if m.stateful {
+	// for netflow we keep track even if the firewall is stateless
 	m.trackOutbound(d, srcIP, dstIP, size)
-	}
 
 	return false
 }
@@ -777,9 +788,10 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 		return true
 	}
 
-	// if running in netstack mode we need to pass this to the forwarder
+	// If requested we pass local traffic to internal interfaces to the forwarder.
-	if m.netstack && m.localForwarding {
+	// netstack doesn't have an interface to forward packets to the native stack so we always need to use the forwarder.
-		return m.handleNetstackLocalTraffic(packetData)
+	if m.localForwarding && (m.netstack || dstIP != m.wgIface.Address().IP) {
+		return m.handleForwardedLocalTraffic(packetData)
 	}
 
 	// track inbound packets to get the correct direction and session id for flows
@@ -789,8 +801,7 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 	return false
 }
 
-func (m *Manager) handleNetstackLocalTraffic(packetData []byte) bool {
+func (m *Manager) handleForwardedLocalTraffic(packetData []byte) bool {
-
 	fwd := m.forwarder.Load()
 	if fwd == nil {
 		m.logger.Trace("Dropping local packet (forwarder not initialized)")
@@ -1088,11 +1099,6 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 	return true
 }
 
-// SetNetwork of the wireguard interface to which filtering applied
-func (m *Manager) SetNetwork(network *net.IPNet) {
-	m.wgNetwork = network
-}
-
 // AddUDPPacketHook calls hook when UDP packet from given direction matched
 //
 // Hook function returns flag which indicates should be the matched package dropped or not

client/firewall/uspfilter/uspfilter_bench_test.go

@@ -174,11 +174,6 @@ func BenchmarkCoreFiltering(b *testing.B) {
 					require.NoError(b, manager.Close(nil))
 				})
 
-				manager.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("100.64.0.0"),
-					Mask: net.CIDRMask(10, 32),
-				}
-
 				// Apply scenario-specific setup
 				sc.setupFunc(manager)
 
@@ -219,11 +214,6 @@ func BenchmarkStateScaling(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
-			manager.wgNetwork = &net.IPNet{
-				IP:   net.ParseIP("100.64.0.0"),
-				Mask: net.CIDRMask(10, 32),
-			}
-
 			// Pre-populate connection table
 			srcIPs := generateRandomIPs(count)
 			dstIPs := generateRandomIPs(count)
@@ -267,11 +257,6 @@ func BenchmarkEstablishmentOverhead(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
-			manager.wgNetwork = &net.IPNet{
-				IP:   net.ParseIP("100.64.0.0"),
-				Mask: net.CIDRMask(10, 32),
-			}
-
 			srcIP := generateRandomIPs(1)[0]
 			dstIP := generateRandomIPs(1)[0]
 			outbound := generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolTCP)
@@ -304,10 +289,6 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "new",
 			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("100.64.0.0"),
-					Mask: net.CIDRMask(10, 32),
-				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -321,10 +302,6 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "established",
 			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("100.64.0.0"),
-					Mask: net.CIDRMask(10, 32),
-				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -339,10 +316,6 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "new",
 			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("100.64.0.0"),
-					Mask: net.CIDRMask(10, 32),
-				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -356,10 +329,6 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "established",
 			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("100.64.0.0"),
-					Mask: net.CIDRMask(10, 32),
-				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -373,10 +342,6 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "new",
 			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("0.0.0.0"),
-					Mask: net.CIDRMask(0, 32),
-				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -390,10 +355,6 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "established",
 			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("0.0.0.0"),
-					Mask: net.CIDRMask(0, 32),
-				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -408,10 +369,6 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "post_handshake",
 			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("0.0.0.0"),
-					Mask: net.CIDRMask(0, 32),
-				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -426,10 +383,6 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "new",
 			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("0.0.0.0"),
-					Mask: net.CIDRMask(0, 32),
-				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -443,10 +396,6 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "established",
 			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("0.0.0.0"),
-					Mask: net.CIDRMask(0, 32),
-				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -593,11 +542,6 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
-			manager.SetNetwork(&net.IPNet{
-				IP:   net.ParseIP("100.64.0.0"),
-				Mask: net.CIDRMask(10, 32),
-			})
-
 			// Setup initial state based on scenario
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
@@ -681,11 +625,6 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
-			manager.SetNetwork(&net.IPNet{
-				IP:   net.ParseIP("100.64.0.0"),
-				Mask: net.CIDRMask(10, 32),
-			})
-
 			// Setup initial state based on scenario
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
@@ -797,11 +736,6 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
-			manager.SetNetwork(&net.IPNet{
-				IP:   net.ParseIP("100.64.0.0"),
-				Mask: net.CIDRMask(10, 32),
-			})
-
 			// Setup initial state based on scenario
 			if sc.rules {
 				_, err := manager.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept, "")
@@ -882,11 +816,6 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
-			manager.SetNetwork(&net.IPNet{
-				IP:   net.ParseIP("100.64.0.0"),
-				Mask: net.CIDRMask(10, 32),
-			})
-
 			if sc.rules {
 				_, err := manager.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept, "")
 				require.NoError(b, err)
@@ -1032,7 +961,8 @@ func BenchmarkRouteACLs(b *testing.B) {
 	}
 
 	for _, r := range rules {
-		_, err := manager.AddRouteFiltering(nil, r.sources, r.dest, r.proto, nil, r.port, fw.ActionAccept)
+		dst := fw.Network{Prefix: r.dest}
+		_, err := manager.AddRouteFiltering(nil, r.sources, dst, r.proto, nil, r.port, fw.ActionAccept)
 		if err != nil {
 			b.Fatal(err)
 		}

client/firewall/uspfilter/uspfilter_filter_test.go

@@ -19,12 +19,8 @@ import (
 )
 
 func TestPeerACLFiltering(t *testing.T) {
-	localIP := net.ParseIP("100.10.0.100")
+	localIP := netip.MustParseAddr("100.10.0.100")
-	wgNet := &net.IPNet{
+	wgNet := netip.MustParsePrefix("100.10.0.0/16")
-		IP:   net.ParseIP("100.10.0.0"),
-		Mask: net.CIDRMask(16, 32),
-	}
-
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
@@ -43,8 +39,6 @@ func TestPeerACLFiltering(t *testing.T) {
 		require.NoError(t, manager.Close(nil))
 	})
 
-	manager.wgNetwork = wgNet
-
 	err = manager.UpdateLocalIPs()
 	require.NoError(t, err)
 
@@ -581,14 +575,13 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 	dev := mocks.NewMockDevice(ctrl)
 	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
 
-	localIP, wgNet, err := net.ParseCIDR(network)
+	wgNet := netip.MustParsePrefix(network)
-	require.NoError(tb, err)
 
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      localIP,
+				IP:      wgNet.Addr(),
 				Network: wgNet,
 			}
 		},
@@ -1440,11 +1433,8 @@ func TestRouteACLSet(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP: net.ParseIP("100.10.0.100"),
+				IP:      netip.MustParseAddr("100.10.0.100"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("100.10.0.0/16"),
-					IP:   net.ParseIP("100.10.0.0"),
-					Mask: net.CIDRMask(16, 32),
-				},
 			}
 		},
 	}

client/firewall/uspfilter/uspfilter_test.go

@@ -271,11 +271,8 @@ func TestNotMatchByIP(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP: net.ParseIP("100.10.0.100"),
+				IP:      netip.MustParseAddr("100.10.0.100"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("100.10.0.0/16"),
-					IP:   net.ParseIP("100.10.0.0"),
-					Mask: net.CIDRMask(16, 32),
-				},
 			}
 		},
 	}
@@ -285,10 +282,6 @@ func TestNotMatchByIP(t *testing.T) {
 		t.Errorf("failed to create Manager: %v", err)
 		return
 	}
-	m.wgNetwork = &net.IPNet{
-		IP:   net.ParseIP("100.10.0.0"),
-		Mask: net.CIDRMask(16, 32),
-	}
 
 	ip := net.ParseIP("0.0.0.0")
 	proto := fw.ProtocolUDP
@@ -396,10 +389,6 @@ func TestProcessOutgoingHooks(t *testing.T) {
 	}, false, flowLogger)
 	require.NoError(t, err)
 
-	manager.wgNetwork = &net.IPNet{
-		IP:   net.ParseIP("100.10.0.0"),
-		Mask: net.CIDRMask(16, 32),
-	}
 	manager.udpTracker.Close()
 	manager.udpTracker = conntrack.NewUDPTracker(100*time.Millisecond, logger, flowLogger)
 	defer func() {
@@ -509,11 +498,6 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	}, false, flowLogger)
 	require.NoError(t, err)
 
-	manager.wgNetwork = &net.IPNet{
-		IP:   net.ParseIP("100.10.0.0"),
-		Mask: net.CIDRMask(16, 32),
-	}
-
 	manager.udpTracker.Close() // Close the existing tracker
 	manager.udpTracker = conntrack.NewUDPTracker(200*time.Millisecond, logger, flowLogger)
 	manager.decoders = sync.Pool{

client/iface/bind/udp_mux_universal.go

@@ -164,7 +164,7 @@ func (u *udpConn) performFilterCheck(addr net.Addr) error {
 		return nil
 	}
 
-	if u.address.Network.Contains(a.AsSlice()) {
+	if u.address.Network.Contains(a) {
 		log.Warnf("Address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 		return fmt.Errorf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 	}

client/iface/configurer/kernel_unix.go

@@ -12,6 +12,8 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
+var zeroKey wgtypes.Key
+
 type KernelConfigurer struct {
 	deviceName string
 }
@@ -201,14 +203,71 @@ func (c *KernelConfigurer) configure(config wgtypes.Config) error {
 func (c *KernelConfigurer) Close() {
 }
 
-func (c *KernelConfigurer) GetStats(peerKey string) (WGStats, error) {
+func (c *KernelConfigurer) FullStats() (*Stats, error) {
-	peer, err := c.getPeer(c.deviceName, peerKey)
+	wg, err := wgctrl.New()
 	if err != nil {
-		return WGStats{}, fmt.Errorf("get wireguard stats: %w", err)
+		return nil, fmt.Errorf("wgctl: %w", err)
 	}
-	return WGStats{
+	defer func() {
+		err = wg.Close()
+		if err != nil {
+			log.Errorf("Got error while closing wgctl: %v", err)
+		}
+	}()
+
+	wgDevice, err := wg.Device(c.deviceName)
+	if err != nil {
+		return nil, fmt.Errorf("get device %s: %w", c.deviceName, err)
+	}
+	fullStats := &Stats{
+		DeviceName: wgDevice.Name,
+		PublicKey:  wgDevice.PublicKey.String(),
+		ListenPort: wgDevice.ListenPort,
+		FWMark:     wgDevice.FirewallMark,
+		Peers:      []Peer{},
+	}
+
+	for _, p := range wgDevice.Peers {
+		peer := Peer{
+			PublicKey:     p.PublicKey.String(),
+			AllowedIPs:    p.AllowedIPs,
+			TxBytes:       p.TransmitBytes,
+			RxBytes:       p.ReceiveBytes,
+			LastHandshake: p.LastHandshakeTime,
+			PresharedKey:  p.PresharedKey != zeroKey,
+		}
+		if p.Endpoint != nil {
+			peer.Endpoint = *p.Endpoint
+		}
+		fullStats.Peers = append(fullStats.Peers, peer)
+	}
+	return fullStats, nil
+}
+
+func (c *KernelConfigurer) GetStats() (map[string]WGStats, error) {
+	stats := make(map[string]WGStats)
+	wg, err := wgctrl.New()
+	if err != nil {
+		return nil, fmt.Errorf("wgctl: %w", err)
+	}
+	defer func() {
+		err = wg.Close()
+		if err != nil {
+			log.Errorf("Got error while closing wgctl: %v", err)
+		}
+	}()
+
+	wgDevice, err := wg.Device(c.deviceName)
+	if err != nil {
+		return nil, fmt.Errorf("get device %s: %w", c.deviceName, err)
+	}
+
+	for _, peer := range wgDevice.Peers {
+		stats[peer.PublicKey.String()] = WGStats{
 			LastHandshake: peer.LastHandshakeTime,
 			TxBytes:       peer.TransmitBytes,
 			RxBytes:       peer.ReceiveBytes,
-	}, nil
+		}
+	}
+	return stats, nil
 }

client/iface/configurer/usp.go

@@ -1,6 +1,7 @@
 package configurer
 
 import (
+	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"net"
@@ -17,6 +18,20 @@ import (
 	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
+const (
+	privateKey                  = "private_key"
+	ipcKeyLastHandshakeTimeSec  = "last_handshake_time_sec"
+	ipcKeyLastHandshakeTimeNsec = "last_handshake_time_nsec"
+	ipcKeyTxBytes               = "tx_bytes"
+	ipcKeyRxBytes               = "rx_bytes"
+	allowedIP                   = "allowed_ip"
+	endpoint                    = "endpoint"
+	fwmark                      = "fwmark"
+	listenPort                  = "listen_port"
+	publicKey                   = "public_key"
+	presharedKey                = "preshared_key"
+)
+
 var ErrAllowedIPNotFound = fmt.Errorf("allowed IP not found")
 
 type WGUSPConfigurer struct {
@@ -178,6 +193,15 @@ func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, ip string) error {
 	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
+func (c *WGUSPConfigurer) FullStats() (*Stats, error) {
+	ipcStr, err := c.device.IpcGet()
+	if err != nil {
+		return nil, fmt.Errorf("IpcGet failed: %w", err)
+	}
+
+	return parseStatus(c.deviceName, ipcStr)
+}
+
 // startUAPI starts the UAPI listener for managing the WireGuard interface via external tool
 func (t *WGUSPConfigurer) startUAPI() {
 	var err error
@@ -217,91 +241,75 @@ func (t *WGUSPConfigurer) Close() {
 	}
 }
 
-func (t *WGUSPConfigurer) GetStats(peerKey string) (WGStats, error) {
+func (t *WGUSPConfigurer) GetStats() (map[string]WGStats, error) {
 	ipc, err := t.device.IpcGet()
 	if err != nil {
-		return WGStats{}, fmt.Errorf("ipc get: %w", err)
+		return nil, fmt.Errorf("ipc get: %w", err)
 	}
 
-	stats, err := findPeerInfo(ipc, peerKey, []string{
+	return parseTransfers(ipc)
-		"last_handshake_time_sec",
-		"last_handshake_time_nsec",
-		"tx_bytes",
-		"rx_bytes",
-	})
-	if err != nil {
-		return WGStats{}, fmt.Errorf("find peer info: %w", err)
-	}
-
-	sec, err := strconv.ParseInt(stats["last_handshake_time_sec"], 10, 64)
-	if err != nil {
-		return WGStats{}, fmt.Errorf("parse handshake sec: %w", err)
-	}
-	nsec, err := strconv.ParseInt(stats["last_handshake_time_nsec"], 10, 64)
-	if err != nil {
-		return WGStats{}, fmt.Errorf("parse handshake nsec: %w", err)
-	}
-	txBytes, err := strconv.ParseInt(stats["tx_bytes"], 10, 64)
-	if err != nil {
-		return WGStats{}, fmt.Errorf("parse tx_bytes: %w", err)
-	}
-	rxBytes, err := strconv.ParseInt(stats["rx_bytes"], 10, 64)
-	if err != nil {
-		return WGStats{}, fmt.Errorf("parse rx_bytes: %w", err)
-	}
-
-	return WGStats{
-		LastHandshake: time.Unix(sec, nsec),
-		TxBytes:       txBytes,
-		RxBytes:       rxBytes,
-	}, nil
 }
 
-func findPeerInfo(ipcInput string, peerKey string, searchConfigKeys []string) (map[string]string, error) {
+func parseTransfers(ipc string) (map[string]WGStats, error) {
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	stats := make(map[string]WGStats)
-	if err != nil {
+	var (
-		return nil, fmt.Errorf("parse key: %w", err)
+		currentKey   string
-	}
+		currentStats WGStats
-
+		hasPeer      bool
-	hexKey := hex.EncodeToString(peerKeyParsed[:])
+	)
-
+	lines := strings.Split(ipc, "\n")
-	lines := strings.Split(ipcInput, "\n")
-
-	configFound := map[string]string{}
-	foundPeer := false
 	for _, line := range lines {
 		line = strings.TrimSpace(line)
 
 		// If we're within the details of the found peer and encounter another public key,
 		// this means we're starting another peer's details. So, stop.
-		if strings.HasPrefix(line, "public_key=") && foundPeer {
+		if strings.HasPrefix(line, "public_key=") {
-			break
+			peerID := strings.TrimPrefix(line, "public_key=")
+			h, err := hex.DecodeString(peerID)
+			if err != nil {
+				return nil, fmt.Errorf("decode peerID: %w", err)
+			}
+			currentKey = base64.StdEncoding.EncodeToString(h)
+			currentStats = WGStats{} // Reset stats for the new peer
+			hasPeer = true
+			stats[currentKey] = currentStats
+			continue
 		}
 
-		// Identify the peer with the specific public key
+		if !hasPeer {
-		if line == fmt.Sprintf("public_key=%s", hexKey) {
+			continue
-			foundPeer = true
 		}
 
-		for _, key := range searchConfigKeys {
+		key := strings.SplitN(line, "=", 2)
-			if foundPeer && strings.HasPrefix(line, key+"=") {
+		if len(key) != 2 {
-				v := strings.SplitN(line, "=", 2)
+			continue
-				configFound[v[0]] = v[1]
 		}
+		switch key[0] {
+		case ipcKeyLastHandshakeTimeSec:
+			hs, err := toLastHandshake(key[1])
+			if err != nil {
+				return nil, err
+			}
+			currentStats.LastHandshake = hs
+			stats[currentKey] = currentStats
+		case ipcKeyRxBytes:
+			rxBytes, err := toBytes(key[1])
+			if err != nil {
+				return nil, fmt.Errorf("parse rx_bytes: %w", err)
+			}
+			currentStats.RxBytes = rxBytes
+			stats[currentKey] = currentStats
+		case ipcKeyTxBytes:
+			TxBytes, err := toBytes(key[1])
+			if err != nil {
+				return nil, fmt.Errorf("parse tx_bytes: %w", err)
+			}
+			currentStats.TxBytes = TxBytes
+			stats[currentKey] = currentStats
 		}
 	}
 
-	// todo: use multierr
+	return stats, nil
-	for _, key := range searchConfigKeys {
-		if _, ok := configFound[key]; !ok {
-			return configFound, fmt.Errorf("config key not found: %s", key)
-		}
-	}
-	if !foundPeer {
-		return nil, fmt.Errorf("%w: %s", ErrPeerNotFound, peerKey)
-	}
-
-	return configFound, nil
 }
 
 func toWgUserspaceString(wgCfg wgtypes.Config) string {
@@ -355,9 +363,154 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {
 	return sb.String()
 }
 
+func toLastHandshake(stringVar string) (time.Time, error) {
+	sec, err := strconv.ParseInt(stringVar, 10, 64)
+	if err != nil {
+		return time.Time{}, fmt.Errorf("parse handshake sec: %w", err)
+	}
+	return time.Unix(sec, 0), nil
+}
+
+func toBytes(s string) (int64, error) {
+	return strconv.ParseInt(s, 10, 64)
+}
+
 func getFwmark() int {
 	if nbnet.AdvancedRouting() {
 		return nbnet.ControlPlaneMark
 	}
 	return 0
 }
+
+func hexToWireguardKey(hexKey string) (wgtypes.Key, error) {
+	// Decode hex string to bytes
+	keyBytes, err := hex.DecodeString(hexKey)
+	if err != nil {
+		return wgtypes.Key{}, fmt.Errorf("failed to decode hex key: %w", err)
+	}
+
+	// Check if we have the right number of bytes (WireGuard keys are 32 bytes)
+	if len(keyBytes) != 32 {
+		return wgtypes.Key{}, fmt.Errorf("invalid key length: expected 32 bytes, got %d", len(keyBytes))
+	}
+
+	// Convert to wgtypes.Key
+	var key wgtypes.Key
+	copy(key[:], keyBytes)
+
+	return key, nil
+}
+
+func parseStatus(deviceName, ipcStr string) (*Stats, error) {
+	stats := &Stats{DeviceName: deviceName}
+	var currentPeer *Peer
+	for _, line := range strings.Split(strings.TrimSpace(ipcStr), "\n") {
+		if line == "" {
+			continue
+		}
+		parts := strings.SplitN(line, "=", 2)
+		if len(parts) != 2 {
+			continue
+		}
+		key := parts[0]
+		val := parts[1]
+
+		switch key {
+		case privateKey:
+			key, err := hexToWireguardKey(val)
+			if err != nil {
+				log.Errorf("failed to parse private key: %v", err)
+				continue
+			}
+			stats.PublicKey = key.PublicKey().String()
+		case publicKey:
+			// Save previous peer
+			if currentPeer != nil {
+				stats.Peers = append(stats.Peers, *currentPeer)
+			}
+			key, err := hexToWireguardKey(val)
+			if err != nil {
+				log.Errorf("failed to parse public key: %v", err)
+				continue
+			}
+			currentPeer = &Peer{
+				PublicKey: key.String(),
+			}
+		case listenPort:
+			if port, err := strconv.Atoi(val); err == nil {
+				stats.ListenPort = port
+			}
+		case fwmark:
+			if fwmark, err := strconv.Atoi(val); err == nil {
+				stats.FWMark = fwmark
+			}
+		case endpoint:
+			if currentPeer == nil {
+				continue
+			}
+
+			host, portStr, err := net.SplitHostPort(strings.Trim(val, "[]"))
+			if err != nil {
+				log.Errorf("failed to parse endpoint: %v", err)
+				continue
+			}
+			port, err := strconv.Atoi(portStr)
+			if err != nil {
+				log.Errorf("failed to parse endpoint port: %v", err)
+				continue
+			}
+			currentPeer.Endpoint = net.UDPAddr{
+				IP:   net.ParseIP(host),
+				Port: port,
+			}
+		case allowedIP:
+			if currentPeer == nil {
+				continue
+			}
+			_, ipnet, err := net.ParseCIDR(val)
+			if err == nil {
+				currentPeer.AllowedIPs = append(currentPeer.AllowedIPs, *ipnet)
+			}
+		case ipcKeyTxBytes:
+			if currentPeer == nil {
+				continue
+			}
+			rxBytes, err := toBytes(val)
+			if err != nil {
+				continue
+			}
+			currentPeer.TxBytes = rxBytes
+		case ipcKeyRxBytes:
+			if currentPeer == nil {
+				continue
+			}
+			rxBytes, err := toBytes(val)
+			if err != nil {
+				continue
+			}
+			currentPeer.RxBytes = rxBytes
+
+		case ipcKeyLastHandshakeTimeSec:
+			if currentPeer == nil {
+				continue
+			}
+
+			ts, err := toLastHandshake(val)
+			if err != nil {
+				continue
+			}
+			currentPeer.LastHandshake = ts
+		case presharedKey:
+			if currentPeer == nil {
+				continue
+			}
+			if val != "" {
+				currentPeer.PresharedKey = true
+			}
+		}
+	}
+	if currentPeer != nil {
+		stats.Peers = append(stats.Peers, *currentPeer)
+	}
+	return stats, nil
+}

client/iface/configurer/usp_test.go

@@ -2,10 +2,8 @@ package configurer
 
 import (
 	"encoding/hex"
-	"fmt"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
@@ -34,58 +32,35 @@ errno=0
 
 `
 
-func Test_findPeerInfo(t *testing.T) {
+func Test_parseTransfers(t *testing.T) {
 	tests := []struct {
 		name    string
 		peerKey string
-		searchKeys []string
+		want    WGStats
-		want       map[string]string
-		wantErr    bool
 	}{
 		{
 			name:    "single",
-			peerKey:    "58402e695ba1772b1cc9309755f043251ea77fdcf10fbe63989ceb7e19321376",
+			peerKey: "b85996fecc9c7f1fc6d2572a76eda11d59bcd20be8e543b15ce4bd85a8e75a33",
-			searchKeys: []string{"tx_bytes"},
+			want: WGStats{
-			want: map[string]string{
+				TxBytes: 0,
-				"tx_bytes": "38333",
+				RxBytes: 0,
 			},
-			wantErr: false,
 		},
 		{
 			name:    "multiple",
 			peerKey: "58402e695ba1772b1cc9309755f043251ea77fdcf10fbe63989ceb7e19321376",
-			searchKeys: []string{"tx_bytes", "rx_bytes"},
+			want: WGStats{
-			want: map[string]string{
+				TxBytes: 38333,
-				"tx_bytes": "38333",
+				RxBytes: 2224,
-				"rx_bytes": "2224",
 			},
-			wantErr: false,
 		},
 		{
 			name:    "lastpeer",
 			peerKey: "662e14fd594556f522604703340351258903b64f35553763f19426ab2a515c58",
-			searchKeys: []string{"tx_bytes", "rx_bytes"},
+			want: WGStats{
-			want: map[string]string{
+				TxBytes: 1212111,
-				"tx_bytes": "1212111",
+				RxBytes: 1929999999,
-				"rx_bytes": "1929999999",
 			},
-			wantErr: false,
-		},
-		{
-			name:       "peer not found",
-			peerKey:    "1111111111111111111111111111111111111111111111111111111111111111",
-			searchKeys: nil,
-			want:       nil,
-			wantErr:    true,
-		},
-		{
-			name:       "key not found",
-			peerKey:    "662e14fd594556f522604703340351258903b64f35553763f19426ab2a515c58",
-			searchKeys: []string{"tx_bytes", "unknown_key"},
-			want: map[string]string{
-				"tx_bytes": "1212111",
-			},
-			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
@@ -96,9 +71,19 @@ func Test_findPeerInfo(t *testing.T) {
 			key, err := wgtypes.NewKey(res)
 			require.NoError(t, err)
 
-			got, err := findPeerInfo(ipcFixture, key.String(), tt.searchKeys)
+			stats, err := parseTransfers(ipcFixture)
-			assert.Equalf(t, tt.wantErr, err != nil, fmt.Sprintf("findPeerInfo(%v, %v, %v)", ipcFixture, key.String(), tt.searchKeys))
+			if err != nil {
-			assert.Equalf(t, tt.want, got, "findPeerInfo(%v, %v, %v)", ipcFixture, key.String(), tt.searchKeys)
+				require.NoError(t, err)
+				return
+			}
+
+			stat, ok := stats[key.String()]
+			if !ok {
+				require.True(t, ok)
+				return
+			}
+
+			require.Equal(t, tt.want, stat)
 		})
 	}
 }

client/iface/configurer/wgshow.go

@@ -0,0 +1,24 @@
+package configurer
+
+import (
+	"net"
+	"time"
+)
+
+type Peer struct {
+	PublicKey     string
+	Endpoint      net.UDPAddr
+	AllowedIPs    []net.IPNet
+	TxBytes       int64
+	RxBytes       int64
+	LastHandshake time.Time
+	PresharedKey  bool
+}
+
+type Stats struct {
+	DeviceName string
+	PublicKey  string
+	ListenPort int
+	FWMark     int
+	Peers      []Peer
+}

client/iface/device/device_filter.go

@@ -1,7 +1,6 @@
 package device
 
 import (
-	"net"
 	"net/netip"
 	"sync"
 
@@ -24,9 +23,6 @@ type PacketFilter interface {
 
 	// RemovePacketHook removes hook by ID
 	RemovePacketHook(hookID string) error
-
-	// SetNetwork of the wireguard interface to which filtering applied
-	SetNetwork(*net.IPNet)
 }
 
 // FilteredDevice to override Read or Write of packets

client/iface/device/device_netstack.go

@@ -51,7 +51,11 @@ func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
 	log.Info("create nbnetstack tun interface")
 
 	// TODO: get from service listener runtime IP
-	dnsAddr := nbnet.GetLastIPFromNetwork(t.address.Network, 1)
+	dnsAddr, err := nbnet.GetLastIPFromNetwork(t.address.Network, 1)
+	if err != nil {
+		return nil, fmt.Errorf("last ip: %w", err)
+	}
+
 	log.Debugf("netstack using address: %s", t.address.IP)
 	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, t.mtu)
 	log.Debugf("netstack using dns address: %s", dnsAddr)

client/iface/device/interface.go

@@ -16,5 +16,6 @@ type WGConfigurer interface {
 	AddAllowedIP(peerKey string, allowedIP string) error
 	RemoveAllowedIP(peerKey string, allowedIP string) error
 	Close()
-	GetStats(peerKey string) (configurer.WGStats, error)
+	GetStats() (map[string]configurer.WGStats, error)
+	FullStats() (*configurer.Stats, error)
 }

client/iface/device/wg_link_freebsd.go

@@ -64,7 +64,15 @@ func (l *wgLink) assignAddr(address wgaddr.Address) error {
 	}
 
 	ip := address.IP.String()
-	mask := "0x" + address.Network.Mask.String()
+
+	// Convert prefix length to hex netmask
+	prefixLen := address.Network.Bits()
+	if !address.IP.Is4() {
+		return fmt.Errorf("IPv6 not supported for interface assignment")
+	}
+
+	maskBits := uint32(0xffffffff) << (32 - prefixLen)
+	mask := fmt.Sprintf("0x%08x", maskBits)
 
 	log.Infof("assign addr %s mask %s to %s interface", ip, mask, l.name)
 

client/iface/iface.go

@@ -185,7 +185,6 @@ func (w *WGIface) SetFilter(filter device.PacketFilter) error {
 	}
 
 	w.filter = filter
-	w.filter.SetNetwork(w.tun.WgAddress().Network)
 
 	w.tun.FilteredDevice().SetFilter(filter)
 	return nil
@@ -212,9 +211,13 @@ func (w *WGIface) GetWGDevice() *wgdevice.Device {
 	return w.tun.Device()
 }
 
-// GetStats returns the last handshake time, rx and tx bytes for the given peer
+// GetStats returns the last handshake time, rx and tx bytes
-func (w *WGIface) GetStats(peerKey string) (configurer.WGStats, error) {
+func (w *WGIface) GetStats() (map[string]configurer.WGStats, error) {
-	return w.configurer.GetStats(peerKey)
+	return w.configurer.GetStats()
+}
+
+func (w *WGIface) FullStats() (*configurer.Stats, error) {
+	return w.configurer.FullStats()
 }
 
 func (w *WGIface) waitUntilRemoved() error {

client/iface/mocks/filter.go

@@ -5,7 +5,6 @@
 package mocks
 
 import (
-	net "net"
 	"net/netip"
 	reflect "reflect"
 
@@ -90,15 +89,3 @@ func (mr *MockPacketFilterMockRecorder) RemovePacketHook(arg0 interface{}) *gomo
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePacketHook", reflect.TypeOf((*MockPacketFilter)(nil).RemovePacketHook), arg0)
 }
-
-// SetNetwork mocks base method.
-func (m *MockPacketFilter) SetNetwork(arg0 *net.IPNet) {
-	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "SetNetwork", arg0)
-}
-
-// SetNetwork indicates an expected call of SetNetwork.
-func (mr *MockPacketFilterMockRecorder) SetNetwork(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNetwork", reflect.TypeOf((*MockPacketFilter)(nil).SetNetwork), arg0)
-}

client/iface/netstack/tun.go

@@ -1,8 +1,6 @@
 package netstack
 
 import (
-	"fmt"
-	"net"
 	"net/netip"
 	"os"
 	"strconv"
@@ -15,8 +13,8 @@ import (
 const EnvSkipProxy = "NB_NETSTACK_SKIP_PROXY"
 
 type NetStackTun struct { //nolint:revive
-	address       net.IP
+	address       netip.Addr
-	dnsAddress    net.IP
+	dnsAddress    netip.Addr
 	mtu           int
 	listenAddress string
 
@@ -24,7 +22,7 @@ type NetStackTun struct { //nolint:revive
 	tundev tun.Device
 }
 
-func NewNetStackTun(listenAddress string, address net.IP, dnsAddress net.IP, mtu int) *NetStackTun {
+func NewNetStackTun(listenAddress string, address netip.Addr, dnsAddress netip.Addr, mtu int) *NetStackTun {
 	return &NetStackTun{
 		address:       address,
 		dnsAddress:    dnsAddress,
@@ -34,19 +32,9 @@ func NewNetStackTun(listenAddress string, address net.IP, dnsAddress net.IP, mtu
 }
 
 func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
-	addr, ok := netip.AddrFromSlice(t.address)
-	if !ok {
-		return nil, nil, fmt.Errorf("convert address to netip.Addr: %v", t.address)
-	}
-
-	dnsAddr, ok := netip.AddrFromSlice(t.dnsAddress)
-	if !ok {
-		return nil, nil, fmt.Errorf("convert dns address to netip.Addr: %v", t.dnsAddress)
-	}
-
 	nsTunDev, tunNet, err := netstack.CreateNetTUN(
-		[]netip.Addr{addr.Unmap()},
+		[]netip.Addr{t.address},
-		[]netip.Addr{dnsAddr.Unmap()},
+		[]netip.Addr{t.dnsAddress},
 		t.mtu)
 	if err != nil {
 		return nil, nil, err

client/iface/wgaddr/address.go

@@ -2,28 +2,27 @@ package wgaddr
 
 import (
 	"fmt"
-	"net"
+	"net/netip"
 )
 
 // Address WireGuard parsed address
 type Address struct {
-	IP      net.IP
+	IP      netip.Addr
-	Network *net.IPNet
+	Network netip.Prefix
 }
 
 // ParseWGAddress parse a string ("1.2.3.4/24") address to WG Address
 func ParseWGAddress(address string) (Address, error) {
-	ip, network, err := net.ParseCIDR(address)
+	prefix, err := netip.ParsePrefix(address)
 	if err != nil {
 		return Address{}, err
 	}
 	return Address{
-		IP:      ip,
+		IP:      prefix.Addr().Unmap(),
-		Network: network,
+		Network: prefix.Masked(),
 	}, nil
 }
 
 func (addr Address) String() string {
-	maskSize, _ := addr.Network.Mask.Size()
+	return fmt.Sprintf("%s/%d", addr.IP.String(), addr.Network.Bits())
-	return fmt.Sprintf("%s/%d", addr.IP.String(), maskSize)
 }

client/installer.nsis

@@ -24,6 +24,8 @@
 
 !define AUTOSTART_REG_KEY "Software\Microsoft\Windows\CurrentVersion\Run"
 
+!define NETBIRD_DATA_DIR "$COMMONPROGRAMDATA\Netbird"
+
 Unicode True
 
 ######################################################################
@@ -49,6 +51,10 @@ ShowInstDetails Show
 
 ######################################################################
 
+!include "MUI2.nsh"
+!include LogicLib.nsh
+!include "nsDialogs.nsh"
+
 !define MUI_ICON "${ICON}"
 !define MUI_UNICON "${ICON}"
 !define MUI_WELCOMEFINISHPAGE_BITMAP "${BANNER}"
@@ -58,9 +64,6 @@ ShowInstDetails Show
 !define MUI_FINISHPAGE_RUN_FUNCTION "LaunchLink"
 ######################################################################
 
-!include "MUI2.nsh"
-!include LogicLib.nsh
-
 !define MUI_ABORTWARNING
 !define MUI_UNABORTWARNING
 
@@ -70,13 +73,16 @@ ShowInstDetails Show
 
 !insertmacro MUI_PAGE_DIRECTORY
 
-; Custom page for autostart checkbox
 Page custom AutostartPage AutostartPageLeave
 
 !insertmacro MUI_PAGE_INSTFILES
 
 !insertmacro MUI_PAGE_FINISH
 
+!insertmacro MUI_UNPAGE_WELCOME
+
+UninstPage custom un.DeleteDataPage un.DeleteDataPageLeave
+
 !insertmacro MUI_UNPAGE_CONFIRM
 
 !insertmacro MUI_UNPAGE_INSTFILES
@@ -89,6 +95,10 @@ Page custom AutostartPage AutostartPageLeave
 Var AutostartCheckbox
 Var AutostartEnabled
 
+; Variables for uninstall data deletion option
+Var DeleteDataCheckbox
+Var DeleteDataEnabled
+
 ######################################################################
 
 ; Function to create the autostart options page
@@ -104,8 +114,8 @@ Function AutostartPage
 
   ${NSD_CreateCheckbox} 0 20u 100% 10u "Start ${APP_NAME} UI automatically when Windows starts"
   Pop $AutostartCheckbox
-  ${NSD_Check} $AutostartCheckbox ; Default to checked
+  ${NSD_Check} $AutostartCheckbox
-  StrCpy $AutostartEnabled "1" ; Default to enabled
+  StrCpy $AutostartEnabled "1"
 
   nsDialogs::Show
 FunctionEnd
@@ -115,6 +125,30 @@ Function AutostartPageLeave
   ${NSD_GetState} $AutostartCheckbox $AutostartEnabled
 FunctionEnd
 
+; Function to create the uninstall data deletion page
+Function un.DeleteDataPage
+  !insertmacro MUI_HEADER_TEXT "Uninstall Options" "Choose whether to delete ${APP_NAME} data."
+
+  nsDialogs::Create 1018
+  Pop $0
+
+  ${If} $0 == error
+    Abort
+  ${EndIf}
+
+  ${NSD_CreateCheckbox} 0 20u 100% 10u "Delete all ${APP_NAME} configuration and state data (${NETBIRD_DATA_DIR})"
+  Pop $DeleteDataCheckbox
+  ${NSD_Uncheck} $DeleteDataCheckbox
+  StrCpy $DeleteDataEnabled "0"
+
+  nsDialogs::Show
+FunctionEnd
+
+; Function to handle leaving the data deletion page
+Function un.DeleteDataPageLeave
+  ${NSD_GetState} $DeleteDataCheckbox $DeleteDataEnabled
+FunctionEnd
+
 Function GetAppFromCommand
 Exch $1
 Push $2
@@ -225,31 +259,58 @@ SectionEnd
 Section Uninstall
 ${INSTALL_TYPE}
 
+DetailPrint "Stopping Netbird service..."
 ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service stop'
+DetailPrint "Uninstalling Netbird service..."
 ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
 
-# kill ui client
+DetailPrint "Terminating Netbird UI process..."
 ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`
 
 ; Remove autostart registry entry
+DetailPrint "Removing autostart registry entry if exists..."
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
 
+; Handle data deletion based on checkbox
+DetailPrint "Checking if user requested data deletion..."
+${If} $DeleteDataEnabled == "1"
+    DetailPrint "User opted to delete Netbird data. Removing ${NETBIRD_DATA_DIR}..."
+    ClearErrors
+    RMDir /r "${NETBIRD_DATA_DIR}"
+    IfErrors 0 +2 ; If no errors, jump over the message
+    DetailPrint "Error deleting Netbird data directory. It might be in use or already removed."
+    DetailPrint "Netbird data directory removal complete."
+${Else}
+    DetailPrint "User did not opt to delete Netbird data."
+${EndIf}
+
 # wait the service uninstall take unblock the executable
+DetailPrint "Waiting for service handle to be released..."
 Sleep 3000
+
+DetailPrint "Deleting application files..."
 Delete "$INSTDIR\${UI_APP_EXE}"
 Delete "$INSTDIR\${MAIN_APP_EXE}"
 Delete "$INSTDIR\wintun.dll"
 Delete "$INSTDIR\opengl32.dll"
+DetailPrint "Removing application directory..."
 RmDir /r "$INSTDIR"
 
+DetailPrint "Removing shortcuts..."
 SetShellVarContext all
 Delete "$DESKTOP\${APP_NAME}.lnk"
 Delete "$SMPROGRAMS\${APP_NAME}.lnk"
 
+DetailPrint "Removing registry keys..."
 DeleteRegKey ${REG_ROOT} "${REG_APP_PATH}"
 DeleteRegKey ${REG_ROOT} "${UNINSTALL_PATH}"
+DeleteRegKey ${REG_ROOT} "${UI_REG_APP_PATH}"
+
+DetailPrint "Removing application directory from PATH..."
 EnVar::SetHKLM
 EnVar::DeleteValue "path" "$INSTDIR"
+
+DetailPrint "Uninstallation finished."
 SectionEnd
 
 

client/internal/acl/manager.go

@@ -58,6 +58,11 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 	d.mutex.Lock()
 	defer d.mutex.Unlock()
 
+	if d.firewall == nil {
+		log.Debug("firewall manager is not supported, skipping firewall rules")
+		return
+	}
+
 	start := time.Now()
 	defer func() {
 		total := 0
@@ -69,20 +74,8 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 			time.Since(start), total)
 	}()
 
-	if d.firewall == nil {
-		log.Debug("firewall manager is not supported, skipping firewall rules")
-		return
-	}
-
 	d.applyPeerACLs(networkMap)
 
-	// If we got empty rules list but management did not set the networkMap.FirewallRulesIsEmpty flag,
-	// then the mgmt server is older than the client, and we need to allow all traffic for routes
-	isLegacy := len(networkMap.RoutesFirewallRules) == 0 && !networkMap.RoutesFirewallRulesIsEmpty
-	if err := d.firewall.SetLegacyManagement(isLegacy); err != nil {
-		log.Errorf("failed to set legacy management flag: %v", err)
-	}
-
 	if err := d.applyRouteACLs(networkMap.RoutesFirewallRules, dnsRouteFeatureFlag); err != nil {
 		log.Errorf("Failed to apply route ACLs: %v", err)
 	}
@@ -291,8 +284,10 @@ func (d *DefaultManager) protoRuleToFirewallRule(
 	case mgmProto.RuleDirection_IN:
 		rules, err = d.addInRules(r.PolicyID, ip, protocol, port, action, ipsetName)
 	case mgmProto.RuleDirection_OUT:
-		// TODO: Remove this soon. Outbound rules are obsolete.
+		if d.firewall.IsStateful() {
-		// We only maintain this for return traffic (inbound dir) which is now handled by the stateful firewall already
+			return "", nil, nil
+		}
+		// return traffic for outbound connections if firewall is stateless
 		rules, err = d.addOutRules(r.PolicyID, ip, protocol, port, action, ipsetName)
 	default:
 		return "", nil, fmt.Errorf("invalid direction, skipping firewall rule")

client/internal/acl/manager_test.go

@@ -1,13 +1,14 @@
 package acl
 
 import (
-	"net"
+	"net/netip"
 	"testing"
 
 	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/acl/mocks"
 	"github.com/netbirdio/netbird/client/internal/netflow"
@@ -42,35 +43,31 @@ func TestDefaultManager(t *testing.T) {
 	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
 	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
 	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	ip, network, err := net.ParseCIDR("172.0.0.1/32")
+	network := netip.MustParsePrefix("172.0.0.1/32")
-	if err != nil {
-		t.Fatalf("failed to parse IP address: %v", err)
-	}
 
 	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
 	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      ip,
+		IP:      network.Addr(),
 		Network: network,
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 
-	// we receive one rule from the management so for testing purposes ignore it
 	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
-	if err != nil {
+	require.NoError(t, err)
-		t.Errorf("create firewall: %v", err)
+	defer func() {
-		return
+		err = fw.Close(nil)
-	}
+		require.NoError(t, err)
-	defer func(fw manager.Manager) {
+	}()
-		_ = fw.Close(nil)
+
-	}(fw)
 	acl := NewDefaultManager(fw)
 
 	t.Run("apply firewall rules", func(t *testing.T) {
 		acl.ApplyFiltering(networkMap, false)
 
-		if len(acl.peerRulesPairs) != 2 {
+		if fw.IsStateful() {
-			t.Errorf("firewall rules not applied: %v", acl.peerRulesPairs)
+			assert.Equal(t, 0, len(acl.peerRulesPairs))
-			return
+		} else {
+			assert.Equal(t, 2, len(acl.peerRulesPairs))
 		}
 	})
 
@@ -94,12 +91,13 @@ func TestDefaultManager(t *testing.T) {
 
 		acl.ApplyFiltering(networkMap, false)
 
-		// we should have one old and one new rule in the existed rules
+		expectedRules := 2
-		if len(acl.peerRulesPairs) != 2 {
+		if fw.IsStateful() {
-			t.Errorf("firewall rules not applied")
+			expectedRules = 1 // only the inbound rule
-			return
 		}
 
+		assert.Equal(t, expectedRules, len(acl.peerRulesPairs))
+
 		// check that old rule was removed
 		previousCount := 0
 		for id := range acl.peerRulesPairs {
@@ -107,26 +105,86 @@ func TestDefaultManager(t *testing.T) {
 				previousCount++
 			}
 		}
-		if previousCount != 1 {
+
-			t.Errorf("old rule was not removed")
+		expectedPreviousCount := 0
+		if !fw.IsStateful() {
+			expectedPreviousCount = 1
 		}
+		assert.Equal(t, expectedPreviousCount, previousCount)
 	})
 
 	t.Run("handle default rules", func(t *testing.T) {
 		networkMap.FirewallRules = networkMap.FirewallRules[:0]
 
 		networkMap.FirewallRulesIsEmpty = true
-		if acl.ApplyFiltering(networkMap, false); len(acl.peerRulesPairs) != 0 {
+		acl.ApplyFiltering(networkMap, false)
-			t.Errorf("rules should be empty if FirewallRulesIsEmpty is set, got: %v", len(acl.peerRulesPairs))
+		assert.Equal(t, 0, len(acl.peerRulesPairs))
-			return
-		}
 
 		networkMap.FirewallRulesIsEmpty = false
 		acl.ApplyFiltering(networkMap, false)
-		if len(acl.peerRulesPairs) != 1 {
+
-			t.Errorf("rules should contain 1 rules if FirewallRulesIsEmpty is not set, got: %v", len(acl.peerRulesPairs))
+		expectedRules := 1
-			return
+		if fw.IsStateful() {
+			expectedRules = 1 // only inbound allow-all rule
 		}
+		assert.Equal(t, expectedRules, len(acl.peerRulesPairs))
+	})
+}
+
+func TestDefaultManagerStateless(t *testing.T) {
+	// stateless currently only in userspace, so we have to disable kernel
+	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+	t.Setenv("NB_DISABLE_CONNTRACK", "true")
+
+	networkMap := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "80",
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_UDP,
+				Port:      "53",
+			},
+		},
+	}
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
+	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
+	ifaceMock.EXPECT().SetFilter(gomock.Any())
+	network := netip.MustParsePrefix("172.0.0.1/32")
+
+	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
+	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
+		IP:      network.Addr(),
+		Network: network,
+	}).AnyTimes()
+	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
+
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
+	require.NoError(t, err)
+	defer func() {
+		err = fw.Close(nil)
+		require.NoError(t, err)
+	}()
+
+	acl := NewDefaultManager(fw)
+
+	t.Run("stateless firewall creates outbound rules", func(t *testing.T) {
+		acl.ApplyFiltering(networkMap, false)
+
+		// In stateless mode, we should have both inbound and outbound rules
+		assert.False(t, fw.IsStateful())
+		assert.Equal(t, 2, len(acl.peerRulesPairs))
 	})
 }
 
@@ -192,42 +250,19 @@ func TestDefaultManagerSquashRules(t *testing.T) {
 
 	manager := &DefaultManager{}
 	rules, _ := manager.squashAcceptRules(networkMap)
-	if len(rules) != 2 {
+	assert.Equal(t, 2, len(rules))
-		t.Errorf("rules should contain 2, got: %v", rules)
-		return
-	}
 
 	r := rules[0]
-	switch {
+	assert.Equal(t, "0.0.0.0", r.PeerIP)
-	case r.PeerIP != "0.0.0.0":
+	assert.Equal(t, mgmProto.RuleDirection_IN, r.Direction)
-		t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
+	assert.Equal(t, mgmProto.RuleProtocol_ALL, r.Protocol)
-		return
+	assert.Equal(t, mgmProto.RuleAction_ACCEPT, r.Action)
-	case r.Direction != mgmProto.RuleDirection_IN:
-		t.Errorf("direction should be IN, got: %v", r.Direction)
-		return
-	case r.Protocol != mgmProto.RuleProtocol_ALL:
-		t.Errorf("protocol should be ALL, got: %v", r.Protocol)
-		return
-	case r.Action != mgmProto.RuleAction_ACCEPT:
-		t.Errorf("action should be ACCEPT, got: %v", r.Action)
-		return
-	}
 
 	r = rules[1]
-	switch {
+	assert.Equal(t, "0.0.0.0", r.PeerIP)
-	case r.PeerIP != "0.0.0.0":
+	assert.Equal(t, mgmProto.RuleDirection_OUT, r.Direction)
-		t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
+	assert.Equal(t, mgmProto.RuleProtocol_ALL, r.Protocol)
-		return
+	assert.Equal(t, mgmProto.RuleAction_ACCEPT, r.Action)
-	case r.Direction != mgmProto.RuleDirection_OUT:
-		t.Errorf("direction should be OUT, got: %v", r.Direction)
-		return
-	case r.Protocol != mgmProto.RuleProtocol_ALL:
-		t.Errorf("protocol should be ALL, got: %v", r.Protocol)
-		return
-	case r.Action != mgmProto.RuleAction_ACCEPT:
-		t.Errorf("action should be ACCEPT, got: %v", r.Action)
-		return
-	}
 }
 
 func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
@@ -291,9 +326,8 @@ func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
 	}
 
 	manager := &DefaultManager{}
-	if rules, _ := manager.squashAcceptRules(networkMap); len(rules) != len(networkMap.FirewallRules) {
+	rules, _ := manager.squashAcceptRules(networkMap)
-		t.Errorf("we should get the same amount of rules as output, got %v", len(rules))
+	assert.Equal(t, len(networkMap.FirewallRules), len(rules))
-	}
 }
 
 func TestDefaultManagerEnableSSHRules(t *testing.T) {
@@ -336,33 +370,29 @@ func TestDefaultManagerEnableSSHRules(t *testing.T) {
 	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
 	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
 	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	ip, network, err := net.ParseCIDR("172.0.0.1/32")
+	network := netip.MustParsePrefix("172.0.0.1/32")
-	if err != nil {
-		t.Fatalf("failed to parse IP address: %v", err)
-	}
 
 	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
 	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      ip,
+		IP:      network.Addr(),
 		Network: network,
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 
-	// we receive one rule from the management so for testing purposes ignore it
 	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
-	if err != nil {
+	require.NoError(t, err)
-		t.Errorf("create firewall: %v", err)
+	defer func() {
-		return
+		err = fw.Close(nil)
-	}
+		require.NoError(t, err)
-	defer func(fw manager.Manager) {
+	}()
-		_ = fw.Close(nil)
+
-	}(fw)
 	acl := NewDefaultManager(fw)
 
 	acl.ApplyFiltering(networkMap, false)
 
-	if len(acl.peerRulesPairs) != 3 {
+	expectedRules := 3
-		t.Errorf("expect 3 rules (last must be SSH), got: %d", len(acl.peerRulesPairs))
+	if fw.IsStateful() {
-		return
+		expectedRules = 3 // 2 inbound rules + SSH rule
 	}
+	assert.Equal(t, expectedRules, len(acl.peerRulesPairs))
 }

client/internal/auth/oauth.go

@@ -64,13 +64,8 @@ func (t TokenInfo) GetTokenToUse() string {
 // and if that also fails, the authentication process is deemed unsuccessful
 //
 // On Linux distros without desktop environment support, it only tries to initialize the Device Code Flow
-func NewOAuthFlow(ctx context.Context, config *internal.Config, isLinuxDesktopClient bool) (OAuthFlow, error) {
+func NewOAuthFlow(ctx context.Context, config *internal.Config, isUnixDesktopClient bool) (OAuthFlow, error) {
-	if runtime.GOOS == "linux" && !isLinuxDesktopClient {
+	if (runtime.GOOS == "linux" || runtime.GOOS == "freebsd") && !isUnixDesktopClient {
-		return authenticateWithDeviceCodeFlow(ctx, config)
-	}
-
-	// On FreeBSD we currently do not support desktop environments and offer only Device Code Flow (#2384)
-	if runtime.GOOS == "freebsd" {
 		return authenticateWithDeviceCodeFlow(ctx, config)
 	}
 

client/internal/auth/pkce_flow.go

@@ -101,8 +101,13 @@ func (p *PKCEAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowIn
 		oauth2.SetAuthURLParam("audience", p.providerConfig.Audience),
 	}
 	if !p.providerConfig.DisablePromptLogin {
+		if p.providerConfig.LoginFlag.IsPromptLogin() {
 			params = append(params, oauth2.SetAuthURLParam("prompt", "login"))
 		}
+		if p.providerConfig.LoginFlag.IsMaxAge0Login() {
+			params = append(params, oauth2.SetAuthURLParam("max_age", "0"))
+		}
+	}
 
 	authURL := p.oAuthConfig.AuthCodeURL(state, params...)
 

client/internal/auth/pkce_flow_test.go

@@ -7,15 +7,36 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/client/internal"
+	mgm "github.com/netbirdio/netbird/management/client/common"
 )
 
 func TestPromptLogin(t *testing.T) {
+	const (
+		promptLogin = "prompt=login"
+		maxAge0     = "max_age=0"
+	)
+
 	tt := []struct {
 		name               string
-		prompt bool
+		loginFlag          mgm.LoginFlag
+		disablePromptLogin bool
+		expect             string
 	}{
-		{"PromptLogin", true},
+		{
-		{"NoPromptLogin", false},
+			name:      "Prompt login",
+			loginFlag: mgm.LoginFlagPrompt,
+			expect:    promptLogin,
+		},
+		{
+			name:      "Max age 0 login",
+			loginFlag: mgm.LoginFlagMaxAge0,
+			expect:    maxAge0,
+		},
+		{
+			name:               "Disable prompt login",
+			loginFlag:          mgm.LoginFlagPrompt,
+			disablePromptLogin: true,
+		},
 	}
 
 	for _, tc := range tt {
@@ -28,7 +49,7 @@ func TestPromptLogin(t *testing.T) {
 				AuthorizationEndpoint: "https://test-auth-endpoint.com/authorize",
 				RedirectURLs:          []string{"http://127.0.0.1:33992/"},
 				UseIDToken:            true,
-				DisablePromptLogin:    !tc.prompt,
+				LoginFlag:             tc.loginFlag,
 			}
 			pkce, err := NewPKCEAuthorizationFlow(config)
 			if err != nil {
@@ -38,11 +59,12 @@ func TestPromptLogin(t *testing.T) {
 			if err != nil {
 				t.Fatalf("Failed to request auth info: %v", err)
 			}
-			pattern := "prompt=login"
+
-			if tc.prompt {
+			if !tc.disablePromptLogin {
-				require.Contains(t, authInfo.VerificationURIComplete, pattern)
+				require.Contains(t, authInfo.VerificationURIComplete, tc.expect)
 			} else {
-				require.NotContains(t, authInfo.VerificationURIComplete, pattern)
+				require.Contains(t, authInfo.VerificationURIComplete, promptLogin)
+				require.NotContains(t, authInfo.VerificationURIComplete, maxAge0)
 			}
 		})
 	}

client/internal/config.go

@@ -68,12 +68,14 @@ type ConfigInput struct {
 	DisableServerRoutes *bool
 	DisableDNS          *bool
 	DisableFirewall     *bool
-
 	BlockLANAccess      *bool
+	BlockInbound        *bool
 
 	DisableNotifications *bool
 
 	DNSLabels domain.List
+
+	LazyConnectionEnabled *bool
 }
 
 // Config Configuration type
@@ -96,8 +98,8 @@ type Config struct {
 	DisableServerRoutes bool
 	DisableDNS          bool
 	DisableFirewall     bool
-
 	BlockLANAccess      bool
+	BlockInbound        bool
 
 	DisableNotifications *bool
 
@@ -138,6 +140,8 @@ type Config struct {
 	ClientCertKeyPath string
 
 	ClientCertKeyPair *tls.Certificate `json:"-"`
+
+	LazyConnectionEnabled bool
 }
 
 // ReadConfig read config file and return with Config. If it is not exists create a new with default values
@@ -479,6 +483,16 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
+	if input.BlockInbound != nil && *input.BlockInbound != config.BlockInbound {
+		if *input.BlockInbound {
+			log.Infof("blocking inbound connections")
+		} else {
+			log.Infof("allowing inbound connections")
+		}
+		config.BlockInbound = *input.BlockInbound
+		updated = true
+	}
+
 	if input.DisableNotifications != nil && input.DisableNotifications != config.DisableNotifications {
 		if *input.DisableNotifications {
 			log.Infof("disabling notifications")
@@ -524,6 +538,12 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
+	if input.LazyConnectionEnabled != nil && *input.LazyConnectionEnabled != config.LazyConnectionEnabled {
+		log.Infof("switching lazy connection to %t", *input.LazyConnectionEnabled)
+		config.LazyConnectionEnabled = *input.LazyConnectionEnabled
+		updated = true
+	}
+
 	return updated, nil
 }
 

client/internal/conn_mgr.go

@@ -0,0 +1,303 @@
+package internal
+
+import (
+	"context"
+	"os"
+	"strconv"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+	"github.com/netbirdio/netbird/client/internal/lazyconn/manager"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
+	"github.com/netbirdio/netbird/client/internal/peerstore"
+)
+
+// ConnMgr coordinates both lazy connections (established on-demand) and permanent peer connections.
+//
+// The connection manager is responsible for:
+// - Managing lazy connections via the lazyConnManager
+// - Maintaining a list of excluded peers that should always have permanent connections
+// - Handling connection establishment based on peer signaling
+//
+// The implementation is not thread-safe; it is protected by engine.syncMsgMux.
+type ConnMgr struct {
+	peerStore      *peerstore.Store
+	statusRecorder *peer.Status
+	iface          lazyconn.WGIface
+	dispatcher     *dispatcher.ConnectionDispatcher
+	enabledLocally bool
+
+	lazyConnMgr *manager.Manager
+
+	wg        sync.WaitGroup
+	ctx       context.Context
+	ctxCancel context.CancelFunc
+}
+
+func NewConnMgr(engineConfig *EngineConfig, statusRecorder *peer.Status, peerStore *peerstore.Store, iface lazyconn.WGIface, dispatcher *dispatcher.ConnectionDispatcher) *ConnMgr {
+	e := &ConnMgr{
+		peerStore:      peerStore,
+		statusRecorder: statusRecorder,
+		iface:          iface,
+		dispatcher:     dispatcher,
+	}
+	if engineConfig.LazyConnectionEnabled || lazyconn.IsLazyConnEnabledByEnv() {
+		e.enabledLocally = true
+	}
+	return e
+}
+
+// Start initializes the connection manager and starts the lazy connection manager if enabled by env var or cmd line option.
+func (e *ConnMgr) Start(ctx context.Context) {
+	if e.lazyConnMgr != nil {
+		log.Errorf("lazy connection manager is already started")
+		return
+	}
+
+	if !e.enabledLocally {
+		log.Infof("lazy connection manager is disabled")
+		return
+	}
+
+	e.initLazyManager(ctx)
+	e.statusRecorder.UpdateLazyConnection(true)
+}
+
+// UpdatedRemoteFeatureFlag is called when the remote feature flag is updated.
+// If enabled, it initializes the lazy connection manager and start it. Do not need to call Start() again.
+// If disabled, then it closes the lazy connection manager and open the connections to all peers.
+func (e *ConnMgr) UpdatedRemoteFeatureFlag(ctx context.Context, enabled bool) error {
+	// do not disable lazy connection manager if it was enabled by env var
+	if e.enabledLocally {
+		return nil
+	}
+
+	if enabled {
+		// if the lazy connection manager is already started, do not start it again
+		if e.lazyConnMgr != nil {
+			return nil
+		}
+
+		log.Infof("lazy connection manager is enabled by management feature flag")
+		e.initLazyManager(ctx)
+		e.statusRecorder.UpdateLazyConnection(true)
+		return e.addPeersToLazyConnManager(ctx)
+	} else {
+		if e.lazyConnMgr == nil {
+			return nil
+		}
+		log.Infof("lazy connection manager is disabled by management feature flag")
+		e.closeManager(ctx)
+		e.statusRecorder.UpdateLazyConnection(false)
+		return nil
+	}
+}
+
+// SetExcludeList sets the list of peer IDs that should always have permanent connections.
+func (e *ConnMgr) SetExcludeList(peerIDs map[string]bool) {
+	if e.lazyConnMgr == nil {
+		return
+	}
+
+	excludedPeers := make([]lazyconn.PeerConfig, 0, len(peerIDs))
+
+	for peerID := range peerIDs {
+		var peerConn *peer.Conn
+		var exists bool
+		if peerConn, exists = e.peerStore.PeerConn(peerID); !exists {
+			log.Warnf("failed to find peer conn for peerID: %s", peerID)
+			continue
+		}
+
+		lazyPeerCfg := lazyconn.PeerConfig{
+			PublicKey:  peerID,
+			AllowedIPs: peerConn.WgConfig().AllowedIps,
+			PeerConnID: peerConn.ConnID(),
+			Log:        peerConn.Log,
+		}
+		excludedPeers = append(excludedPeers, lazyPeerCfg)
+	}
+
+	added := e.lazyConnMgr.ExcludePeer(e.ctx, excludedPeers)
+	for _, peerID := range added {
+		var peerConn *peer.Conn
+		var exists bool
+		if peerConn, exists = e.peerStore.PeerConn(peerID); !exists {
+			// if the peer not exist in the store, it means that the engine will call the AddPeerConn in next step
+			continue
+		}
+
+		peerConn.Log.Infof("peer has been added to lazy connection exclude list, opening permanent connection")
+		if err := peerConn.Open(e.ctx); err != nil {
+			peerConn.Log.Errorf("failed to open connection: %v", err)
+		}
+	}
+}
+
+func (e *ConnMgr) AddPeerConn(ctx context.Context, peerKey string, conn *peer.Conn) (exists bool) {
+	if success := e.peerStore.AddPeerConn(peerKey, conn); !success {
+		return true
+	}
+
+	if !e.isStartedWithLazyMgr() {
+		if err := conn.Open(ctx); err != nil {
+			conn.Log.Errorf("failed to open connection: %v", err)
+		}
+		return
+	}
+
+	if !lazyconn.IsSupported(conn.AgentVersionString()) {
+		conn.Log.Warnf("peer does not support lazy connection (%s), open permanent connection", conn.AgentVersionString())
+		if err := conn.Open(ctx); err != nil {
+			conn.Log.Errorf("failed to open connection: %v", err)
+		}
+		return
+	}
+
+	lazyPeerCfg := lazyconn.PeerConfig{
+		PublicKey:  peerKey,
+		AllowedIPs: conn.WgConfig().AllowedIps,
+		PeerConnID: conn.ConnID(),
+		Log:        conn.Log,
+	}
+	excluded, err := e.lazyConnMgr.AddPeer(lazyPeerCfg)
+	if err != nil {
+		conn.Log.Errorf("failed to add peer to lazyconn manager: %v", err)
+		if err := conn.Open(ctx); err != nil {
+			conn.Log.Errorf("failed to open connection: %v", err)
+		}
+		return
+	}
+
+	if excluded {
+		conn.Log.Infof("peer is on lazy conn manager exclude list, opening connection")
+		if err := conn.Open(ctx); err != nil {
+			conn.Log.Errorf("failed to open connection: %v", err)
+		}
+		return
+	}
+
+	conn.Log.Infof("peer added to lazy conn manager")
+	return
+}
+
+func (e *ConnMgr) RemovePeerConn(peerKey string) {
+	conn, ok := e.peerStore.Remove(peerKey)
+	if !ok {
+		return
+	}
+	defer conn.Close()
+
+	if !e.isStartedWithLazyMgr() {
+		return
+	}
+
+	e.lazyConnMgr.RemovePeer(peerKey)
+	conn.Log.Infof("removed peer from lazy conn manager")
+}
+
+func (e *ConnMgr) OnSignalMsg(ctx context.Context, peerKey string) (*peer.Conn, bool) {
+	conn, ok := e.peerStore.PeerConn(peerKey)
+	if !ok {
+		return nil, false
+	}
+
+	if !e.isStartedWithLazyMgr() {
+		return conn, true
+	}
+
+	if found := e.lazyConnMgr.ActivatePeer(ctx, peerKey); found {
+		conn.Log.Infof("activated peer from inactive state")
+		if err := conn.Open(e.ctx); err != nil {
+			conn.Log.Errorf("failed to open connection: %v", err)
+		}
+	}
+	return conn, true
+}
+
+func (e *ConnMgr) Close() {
+	if !e.isStartedWithLazyMgr() {
+		return
+	}
+
+	e.ctxCancel()
+	e.wg.Wait()
+	e.lazyConnMgr = nil
+}
+
+func (e *ConnMgr) initLazyManager(parentCtx context.Context) {
+	cfg := manager.Config{
+		InactivityThreshold: inactivityThresholdEnv(),
+	}
+	e.lazyConnMgr = manager.NewManager(cfg, e.peerStore, e.iface, e.dispatcher)
+
+	ctx, cancel := context.WithCancel(parentCtx)
+	e.ctx = ctx
+	e.ctxCancel = cancel
+
+	e.wg.Add(1)
+	go func() {
+		defer e.wg.Done()
+		e.lazyConnMgr.Start(ctx)
+	}()
+}
+
+func (e *ConnMgr) addPeersToLazyConnManager(ctx context.Context) error {
+	peers := e.peerStore.PeersPubKey()
+	lazyPeerCfgs := make([]lazyconn.PeerConfig, 0, len(peers))
+	for _, peerID := range peers {
+		var peerConn *peer.Conn
+		var exists bool
+		if peerConn, exists = e.peerStore.PeerConn(peerID); !exists {
+			log.Warnf("failed to find peer conn for peerID: %s", peerID)
+			continue
+		}
+
+		lazyPeerCfg := lazyconn.PeerConfig{
+			PublicKey:  peerID,
+			AllowedIPs: peerConn.WgConfig().AllowedIps,
+			PeerConnID: peerConn.ConnID(),
+			Log:        peerConn.Log,
+		}
+		lazyPeerCfgs = append(lazyPeerCfgs, lazyPeerCfg)
+	}
+
+	return e.lazyConnMgr.AddActivePeers(ctx, lazyPeerCfgs)
+}
+
+func (e *ConnMgr) closeManager(ctx context.Context) {
+	if e.lazyConnMgr == nil {
+		return
+	}
+
+	e.ctxCancel()
+	e.wg.Wait()
+	e.lazyConnMgr = nil
+
+	for _, peerID := range e.peerStore.PeersPubKey() {
+		e.peerStore.PeerConnOpen(ctx, peerID)
+	}
+}
+
+func (e *ConnMgr) isStartedWithLazyMgr() bool {
+	return e.lazyConnMgr != nil && e.ctxCancel != nil
+}
+
+func inactivityThresholdEnv() *time.Duration {
+	envValue := os.Getenv(lazyconn.EnvInactivityThreshold)
+	if envValue == "" {
+		return nil
+	}
+
+	parsedMinutes, err := strconv.Atoi(envValue)
+	if err != nil || parsedMinutes <= 0 {
+		return nil
+	}
+
+	d := time.Duration(parsedMinutes) * time.Minute
+	return &d
+}

client/internal/connect.go

@@ -436,11 +436,13 @@ func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.Pe
 		DNSRouteInterval:     config.DNSRouteInterval,
 
 		DisableClientRoutes: config.DisableClientRoutes,
-		DisableServerRoutes: config.DisableServerRoutes,
+		DisableServerRoutes: config.DisableServerRoutes || config.BlockInbound,
 		DisableDNS:          config.DisableDNS,
 		DisableFirewall:     config.DisableFirewall,
-
 		BlockLANAccess:      config.BlockLANAccess,
+		BlockInbound:        config.BlockInbound,
+
+		LazyConnectionEnabled: config.LazyConnectionEnabled,
 	}
 
 	if config.PreSharedKey != "" {
@@ -481,7 +483,7 @@ func connectToSignal(ctx context.Context, wtConfig *mgmProto.NetbirdConfig, ourP
 	return signalClient, nil
 }
 
-// loginToManagement creates Management Services client, establishes a connection, logs-in and gets a global Netbird config (signal, turn, stun hosts, etc)
+// loginToManagement creates Management ServiceDependencies client, establishes a connection, logs-in and gets a global Netbird config (signal, turn, stun hosts, etc)
 func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte, config *Config) (*mgmProto.LoginResponse, error) {
 
 	serverPublicKey, err := client.GetServerPublicKey()

client/internal/debug/debug.go

@@ -4,6 +4,7 @@ import (
 	"archive/zip"
 	"bufio"
 	"bytes"
+	"compress/gzip"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -269,11 +270,21 @@ func (g *BundleGenerator) createArchive() error {
 		log.Errorf("Failed to add corrupted state files to debug bundle: %v", err)
 	}
 
-	if g.logFile != "console" {
+	if err := g.addWgShow(); err != nil {
+		log.Errorf("Failed to add wg show output: %v", err)
+	}
+
+	if g.logFile != "console" && g.logFile != "" {
 		if err := g.addLogfile(); err != nil {
-			return fmt.Errorf("add log file: %w", err)
+			log.Errorf("Failed to add log file to debug bundle: %v", err)
+			if err := g.trySystemdLogFallback(); err != nil {
+				log.Errorf("Failed to add systemd logs as fallback: %v", err)
 			}
 		}
+	} else if err := g.trySystemdLogFallback(); err != nil {
+		log.Errorf("Failed to add systemd logs: %v", err)
+	}
+
 	return nil
 }
 
@@ -365,17 +376,34 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	configContent.WriteString(fmt.Sprintf("RosenpassEnabled: %v\n", g.internalConfig.RosenpassEnabled))
 	configContent.WriteString(fmt.Sprintf("RosenpassPermissive: %v\n", g.internalConfig.RosenpassPermissive))
 	if g.internalConfig.ServerSSHAllowed != nil {
-		configContent.WriteString(fmt.Sprintf("BundleGeneratorSSHAllowed: %v\n", *g.internalConfig.ServerSSHAllowed))
+		configContent.WriteString(fmt.Sprintf("ServerSSHAllowed: %v\n", *g.internalConfig.ServerSSHAllowed))
 	}
-	configContent.WriteString(fmt.Sprintf("DisableAutoConnect: %v\n", g.internalConfig.DisableAutoConnect))
-	configContent.WriteString(fmt.Sprintf("DNSRouteInterval: %s\n", g.internalConfig.DNSRouteInterval))
 
 	configContent.WriteString(fmt.Sprintf("DisableClientRoutes: %v\n", g.internalConfig.DisableClientRoutes))
-	configContent.WriteString(fmt.Sprintf("DisableBundleGeneratorRoutes: %v\n", g.internalConfig.DisableServerRoutes))
+	configContent.WriteString(fmt.Sprintf("DisableServerRoutes: %v\n", g.internalConfig.DisableServerRoutes))
 	configContent.WriteString(fmt.Sprintf("DisableDNS: %v\n", g.internalConfig.DisableDNS))
 	configContent.WriteString(fmt.Sprintf("DisableFirewall: %v\n", g.internalConfig.DisableFirewall))
-
 	configContent.WriteString(fmt.Sprintf("BlockLANAccess: %v\n", g.internalConfig.BlockLANAccess))
+	configContent.WriteString(fmt.Sprintf("BlockInbound: %v\n", g.internalConfig.BlockInbound))
+
+	if g.internalConfig.DisableNotifications != nil {
+		configContent.WriteString(fmt.Sprintf("DisableNotifications: %v\n", *g.internalConfig.DisableNotifications))
+	}
+
+	configContent.WriteString(fmt.Sprintf("DNSLabels: %v\n", g.internalConfig.DNSLabels))
+
+	configContent.WriteString(fmt.Sprintf("DisableAutoConnect: %v\n", g.internalConfig.DisableAutoConnect))
+
+	configContent.WriteString(fmt.Sprintf("DNSRouteInterval: %s\n", g.internalConfig.DNSRouteInterval))
+
+	if g.internalConfig.ClientCertPath != "" {
+		configContent.WriteString(fmt.Sprintf("ClientCertPath: %s\n", g.internalConfig.ClientCertPath))
+	}
+	if g.internalConfig.ClientCertKeyPath != "" {
+		configContent.WriteString(fmt.Sprintf("ClientCertKeyPath: %s\n", g.internalConfig.ClientCertKeyPath))
+	}
+
+	configContent.WriteString(fmt.Sprintf("LazyConnectionEnabled: %v\n", g.internalConfig.LazyConnectionEnabled))
 }
 
 func (g *BundleGenerator) addProf() (err error) {
@@ -533,6 +561,33 @@ func (g *BundleGenerator) addLogfile() error {
 		return fmt.Errorf("add client log file to zip: %w", err)
 	}
 
+	// add latest rotated log file
+	pattern := filepath.Join(logDir, "client-*.log.gz")
+	files, err := filepath.Glob(pattern)
+	if err != nil {
+		log.Warnf("failed to glob rotated logs: %v", err)
+	} else if len(files) > 0 {
+		// pick the file with the latest ModTime
+		sort.Slice(files, func(i, j int) bool {
+			fi, err := os.Stat(files[i])
+			if err != nil {
+				log.Warnf("failed to stat rotated log %s: %v", files[i], err)
+				return false
+			}
+			fj, err := os.Stat(files[j])
+			if err != nil {
+				log.Warnf("failed to stat rotated log %s: %v", files[j], err)
+				return false
+			}
+			return fi.ModTime().Before(fj.ModTime())
+		})
+		latest := files[len(files)-1]
+		name := filepath.Base(latest)
+		if err := g.addSingleLogFileGz(latest, name); err != nil {
+			log.Warnf("failed to add rotated log %s: %v", name, err)
+		}
+	}
+
 	stdErrLogPath := filepath.Join(logDir, errorLogFile)
 	stdoutLogPath := filepath.Join(logDir, stdoutLogFile)
 	if runtime.GOOS == "darwin" {
@@ -563,16 +618,13 @@ func (g *BundleGenerator) addSingleLogfile(logPath, targetName string) error {
 		}
 	}()
 
-	var logReader io.Reader
+	var logReader io.Reader = logFile
 	if g.anonymize {
 		var writer *io.PipeWriter
 		logReader, writer = io.Pipe()
 
 		go anonymizeLog(logFile, writer, g.anonymizer)
-	} else {
-		logReader = logFile
 	}
-
 	if err := g.addFileToZip(logReader, targetName); err != nil {
 		return fmt.Errorf("add %s to zip: %w", targetName, err)
 	}
@@ -580,6 +632,44 @@ func (g *BundleGenerator) addSingleLogfile(logPath, targetName string) error {
 	return nil
 }
 
+// addSingleLogFileGz adds a single gzipped log file to the archive
+func (g *BundleGenerator) addSingleLogFileGz(logPath, targetName string) error {
+	f, err := os.Open(logPath)
+	if err != nil {
+		return fmt.Errorf("open gz log file %s: %w", targetName, err)
+	}
+	defer f.Close()
+
+	gzr, err := gzip.NewReader(f)
+	if err != nil {
+		return fmt.Errorf("create gzip reader: %w", err)
+	}
+	defer gzr.Close()
+
+	var logReader io.Reader = gzr
+	if g.anonymize {
+		var pw *io.PipeWriter
+		logReader, pw = io.Pipe()
+		go anonymizeLog(gzr, pw, g.anonymizer)
+	}
+
+	var buf bytes.Buffer
+	gw := gzip.NewWriter(&buf)
+	if _, err := io.Copy(gw, logReader); err != nil {
+		return fmt.Errorf("re-gzip: %w", err)
+	}
+
+	if err := gw.Close(); err != nil {
+		return fmt.Errorf("close gzip writer: %w", err)
+	}
+
+	if err := g.addFileToZip(&buf, targetName); err != nil {
+		return fmt.Errorf("add anonymized gz: %w", err)
+	}
+
+	return nil
+}
+
 func (g *BundleGenerator) addFileToZip(reader io.Reader, filename string) error {
 	header := &zip.FileHeader{
 		Name:     filename,

client/internal/debug/debug_linux.go

@@ -4,17 +4,104 @@ package debug
 
 import (
 	"bytes"
+	"context"
 	"encoding/binary"
+	"errors"
 	"fmt"
+	"os"
 	"os/exec"
 	"sort"
 	"strings"
+	"time"
 
 	"github.com/google/nftables"
 	"github.com/google/nftables/expr"
 	log "github.com/sirupsen/logrus"
 )
 
+const (
+	maxLogEntries = 100000
+	maxLogAge     = 7 * 24 * time.Hour // Last 7 days
+)
+
+// trySystemdLogFallback attempts to get logs from systemd journal as fallback
+func (g *BundleGenerator) trySystemdLogFallback() error {
+	log.Debug("Attempting to collect systemd journal logs")
+
+	serviceName := getServiceName()
+	journalLogs, err := getSystemdLogs(serviceName)
+	if err != nil {
+		return fmt.Errorf("get systemd logs for %s: %w", serviceName, err)
+	}
+
+	if strings.Contains(journalLogs, "No recent log entries found") {
+		log.Debug("No recent log entries found in systemd journal")
+		return nil
+	}
+
+	if g.anonymize {
+		journalLogs = g.anonymizer.AnonymizeString(journalLogs)
+	}
+
+	logReader := strings.NewReader(journalLogs)
+	fileName := fmt.Sprintf("systemd-%s.log", serviceName)
+	if err := g.addFileToZip(logReader, fileName); err != nil {
+		return fmt.Errorf("add systemd logs to bundle: %w", err)
+	}
+
+	log.Infof("Added systemd journal logs for %s to debug bundle", serviceName)
+	return nil
+}
+
+// getServiceName gets the service name from environment or defaults to netbird
+func getServiceName() string {
+	if unitName := os.Getenv("SYSTEMD_UNIT"); unitName != "" {
+		log.Debugf("Detected SYSTEMD_UNIT environment variable: %s", unitName)
+		return unitName
+	}
+
+	return "netbird"
+}
+
+// getSystemdLogs retrieves logs from systemd journal for a specific service using journalctl
+func getSystemdLogs(serviceName string) (string, error) {
+	args := []string{
+		"-u", fmt.Sprintf("%s.service", serviceName),
+		"--since", fmt.Sprintf("-%s", maxLogAge.String()),
+		"--lines", fmt.Sprintf("%d", maxLogEntries),
+		"--no-pager",
+		"--output", "short-iso",
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, "journalctl", args...)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		if errors.Is(ctx.Err(), context.DeadlineExceeded) {
+			return "", fmt.Errorf("journalctl command timed out after 30 seconds")
+		}
+		if strings.Contains(err.Error(), "executable file not found") {
+			return "", fmt.Errorf("journalctl command not found: %w", err)
+		}
+		return "", fmt.Errorf("execute journalctl: %w (stderr: %s)", err, stderr.String())
+	}
+
+	logs := stdout.String()
+	if strings.TrimSpace(logs) == "" {
+		return "No recent log entries found in systemd journal", nil
+	}
+
+	header := fmt.Sprintf("=== Systemd Journal Logs for %s.service (last %d entries, max %s) ===\n",
+		serviceName, maxLogEntries, maxLogAge.String())
+
+	return header + logs, nil
+}
+
 // addFirewallRules collects and adds firewall rules to the archive
 func (g *BundleGenerator) addFirewallRules() error {
 	log.Info("Collecting firewall rules")
@@ -481,7 +568,7 @@ func formatExpr(exp expr.Any) string {
 	case *expr.Fib:
 		return formatFib(e)
 	case *expr.Target:
-		return fmt.Sprintf("jump %s", e.Name) // Properly format jump targets
+		return fmt.Sprintf("jump %s", e.Name)
 	case *expr.Immediate:
 		if e.Register == 1 {
 			return formatImmediateData(e.Data)

client/internal/debug/debug_nonlinux.go

@@ -6,3 +6,9 @@ package debug
 func (g *BundleGenerator) addFirewallRules() error {
 	return nil
 }
+
+func (g *BundleGenerator) trySystemdLogFallback() error {
+	// Systemd is only available on Linux
+	// TODO: Add BSD support
+	return nil
+}

client/internal/debug/wgshow.go

@@ -0,0 +1,66 @@
+package debug
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/netbirdio/netbird/client/iface/configurer"
+)
+
+type WGIface interface {
+	FullStats() (*configurer.Stats, error)
+}
+
+func (g *BundleGenerator) addWgShow() error {
+	result, err := g.statusRecorder.PeersStatus()
+	if err != nil {
+		return err
+	}
+
+	output := g.toWGShowFormat(result)
+	reader := bytes.NewReader([]byte(output))
+
+	if err := g.addFileToZip(reader, "wgshow.txt"); err != nil {
+		return fmt.Errorf("add wg show to zip: %w", err)
+	}
+	return nil
+}
+
+func (g *BundleGenerator) toWGShowFormat(s *configurer.Stats) string {
+	var sb strings.Builder
+
+	sb.WriteString(fmt.Sprintf("interface: %s\n", s.DeviceName))
+	sb.WriteString(fmt.Sprintf("  public key: %s\n", s.PublicKey))
+	sb.WriteString(fmt.Sprintf("  listen port: %d\n", s.ListenPort))
+	if s.FWMark != 0 {
+		sb.WriteString(fmt.Sprintf("  fwmark: %#x\n", s.FWMark))
+	}
+
+	for _, peer := range s.Peers {
+		sb.WriteString(fmt.Sprintf("\npeer: %s\n", peer.PublicKey))
+		if peer.Endpoint.IP != nil {
+			if g.anonymize {
+				anonEndpoint := g.anonymizer.AnonymizeUDPAddr(peer.Endpoint)
+				sb.WriteString(fmt.Sprintf("  endpoint: %s\n", anonEndpoint.String()))
+			} else {
+				sb.WriteString(fmt.Sprintf("  endpoint: %s\n", peer.Endpoint.String()))
+			}
+		}
+		if len(peer.AllowedIPs) > 0 {
+			var ipStrings []string
+			for _, ipnet := range peer.AllowedIPs {
+				ipStrings = append(ipStrings, ipnet.String())
+			}
+			sb.WriteString(fmt.Sprintf("  allowed ips: %s\n", strings.Join(ipStrings, ", ")))
+		}
+		sb.WriteString(fmt.Sprintf("  latest handshake: %s\n", peer.LastHandshake.Format(time.RFC1123)))
+		sb.WriteString(fmt.Sprintf("  transfer: %d B received, %d B sent\n", peer.RxBytes, peer.TxBytes))
+		if peer.PresharedKey {
+			sb.WriteString("  preshared key: (hidden)\n")
+		}
+	}
+
+	return sb.String()
+}

client/internal/dns.go

@@ -2,7 +2,7 @@ package internal
 
 import (
 	"fmt"
-	"net"
+	"net/netip"
 	"slices"
 	"strings"
 
@@ -12,13 +12,14 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 )
 
-func createPTRRecord(aRecord nbdns.SimpleRecord, ipNet *net.IPNet) (nbdns.SimpleRecord, bool) {
+func createPTRRecord(aRecord nbdns.SimpleRecord, prefix netip.Prefix) (nbdns.SimpleRecord, bool) {
-	ip := net.ParseIP(aRecord.RData)
+	ip, err := netip.ParseAddr(aRecord.RData)
-	if ip == nil || ip.To4() == nil {
+	if err != nil {
+		log.Warnf("failed to parse IP address %s: %v", aRecord.RData, err)
 		return nbdns.SimpleRecord{}, false
 	}
 
-	if !ipNet.Contains(ip) {
+	if !prefix.Contains(ip) {
 		return nbdns.SimpleRecord{}, false
 	}
 
@@ -36,16 +37,19 @@ func createPTRRecord(aRecord nbdns.SimpleRecord, ipNet *net.IPNet) (nbdns.Simple
 }
 
 // generateReverseZoneName creates the reverse DNS zone name for a given network
-func generateReverseZoneName(ipNet *net.IPNet) (string, error) {
+func generateReverseZoneName(network netip.Prefix) (string, error) {
-	networkIP := ipNet.IP.Mask(ipNet.Mask)
+	networkIP := network.Masked().Addr()
-	maskOnes, _ := ipNet.Mask.Size()
+
+	if !networkIP.Is4() {
+		return "", fmt.Errorf("reverse DNS is only supported for IPv4 networks, got: %s", networkIP)
+	}
 
 	// round up to nearest byte
-	octetsToUse := (maskOnes + 7) / 8
+	octetsToUse := (network.Bits() + 7) / 8
 
 	octets := strings.Split(networkIP.String(), ".")
 	if octetsToUse > len(octets) {
-		return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", maskOnes)
+		return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", network.Bits())
 	}
 
 	reverseOctets := make([]string, octetsToUse)
@@ -68,7 +72,7 @@ func zoneExists(config *nbdns.Config, zoneName string) bool {
 }
 
 // collectPTRRecords gathers all PTR records for the given network from A records
-func collectPTRRecords(config *nbdns.Config, ipNet *net.IPNet) []nbdns.SimpleRecord {
+func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.SimpleRecord {
 	var records []nbdns.SimpleRecord
 
 	for _, zone := range config.CustomZones {
@@ -77,7 +81,7 @@ func collectPTRRecords(config *nbdns.Config, ipNet *net.IPNet) []nbdns.SimpleRec
 				continue
 			}
 
-			if ptrRecord, ok := createPTRRecord(record, ipNet); ok {
+			if ptrRecord, ok := createPTRRecord(record, prefix); ok {
 				records = append(records, ptrRecord)
 			}
 		}
@@ -87,8 +91,8 @@ func collectPTRRecords(config *nbdns.Config, ipNet *net.IPNet) []nbdns.SimpleRec
 }
 
 // addReverseZone adds a reverse DNS zone to the configuration for the given network
-func addReverseZone(config *nbdns.Config, ipNet *net.IPNet) {
+func addReverseZone(config *nbdns.Config, network netip.Prefix) {
-	zoneName, err := generateReverseZoneName(ipNet)
+	zoneName, err := generateReverseZoneName(network)
 	if err != nil {
 		log.Warn(err)
 		return
@@ -99,7 +103,7 @@ func addReverseZone(config *nbdns.Config, ipNet *net.IPNet) {
 		return
 	}
 
-	records := collectPTRRecords(config, ipNet)
+	records := collectPTRRecords(config, network)
 
 	reverseZone := nbdns.CustomZone{
 		Domain:  zoneName,

client/internal/dns/handler_chain.go

@@ -1,6 +1,7 @@
 package dns
 
 import (
+	"fmt"
 	"slices"
 	"strings"
 	"sync"
@@ -148,47 +149,27 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}
 
 	qname := strings.ToLower(r.Question[0].Name)
-	log.Tracef("handling DNS request for domain=%s", qname)
 
 	c.mu.RLock()
 	handlers := slices.Clone(c.handlers)
 	c.mu.RUnlock()
 
 	if log.IsLevelEnabled(log.TraceLevel) {
-		log.Tracef("current handlers (%d):", len(handlers))
+		var b strings.Builder
+		b.WriteString(fmt.Sprintf("DNS request domain=%s, handlers (%d):\n", qname, len(handlers)))
 		for _, h := range handlers {
-			log.Tracef("  - pattern: domain=%s original: domain=%s wildcard=%v match_subdomain=%v priority=%d",
+			b.WriteString(fmt.Sprintf("  - pattern: domain=%s original: domain=%s wildcard=%v match_subdomain=%v priority=%d\n",
-				h.Pattern, h.OrigPattern, h.IsWildcard, h.MatchSubdomains, h.Priority)
+				h.Pattern, h.OrigPattern, h.IsWildcard, h.MatchSubdomains, h.Priority))
 		}
+		log.Trace(strings.TrimSuffix(b.String(), "\n"))
 	}
 
 	// Try handlers in priority order
 	for _, entry := range handlers {
-		var matched bool
+		matched := c.isHandlerMatch(qname, entry)
-		switch {
-		case entry.Pattern == ".":
-			matched = true
-		case entry.IsWildcard:
-			parts := strings.Split(strings.TrimSuffix(qname, entry.Pattern), ".")
-			matched = len(parts) >= 2 && strings.HasSuffix(qname, entry.Pattern)
-		default:
-			// For non-wildcard patterns:
-			// If handler wants subdomain matching, allow suffix match
-			// Otherwise require exact match
-			if entry.MatchSubdomains {
-				matched = strings.EqualFold(qname, entry.Pattern) || strings.HasSuffix(qname, "."+entry.Pattern)
-			} else {
-				matched = strings.EqualFold(qname, entry.Pattern)
-			}
-		}
 
-		if !matched {
+		if matched {
-			log.Tracef("trying domain match: request: domain=%s pattern: domain=%s wildcard=%v match_subdomain=%v priority=%d matched=false",
+			log.Tracef("handler matched: domain=%s -> pattern=%s wildcard=%v match_subdomain=%v priority=%d",
-				qname, entry.OrigPattern, entry.MatchSubdomains, entry.IsWildcard, entry.Priority)
-			continue
-		}
-
-		log.Tracef("handler matched: request: domain=%s pattern: domain=%s wildcard=%v match_subdomain=%v priority=%d",
 				qname, entry.OrigPattern, entry.IsWildcard, entry.MatchSubdomains, entry.Priority)
 
 			chainWriter := &ResponseWriterChain{
@@ -199,11 +180,12 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 
 			// If handler wants to continue, try next handler
 			if chainWriter.shouldContinue {
-			log.Tracef("handler requested continue to next handler")
+				log.Tracef("handler requested continue to next handler for domain=%s", qname)
 				continue
 			}
 			return
 		}
+	}
 
 	// No handler matched or all handlers passed
 	log.Tracef("no handler found for domain=%s", qname)
@@ -213,3 +195,22 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		log.Errorf("failed to write DNS response: %v", err)
 	}
 }
+
+func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
+	switch {
+	case entry.Pattern == ".":
+		return true
+	case entry.IsWildcard:
+		parts := strings.Split(strings.TrimSuffix(qname, entry.Pattern), ".")
+		return len(parts) >= 2 && strings.HasSuffix(qname, entry.Pattern)
+	default:
+		// For non-wildcard patterns:
+		// If handler wants subdomain matching, allow suffix match
+		// Otherwise require exact match
+		if entry.MatchSubdomains {
+			return strings.EqualFold(qname, entry.Pattern) || strings.HasSuffix(qname, "."+entry.Pattern)
+		} else {
+			return strings.EqualFold(qname, entry.Pattern)
+		}
+	}
+}

client/internal/dns/handler_chain_test.go

@@ -1,7 +1,6 @@
 package dns_test
 
 import (
-	"net"
 	"testing"
 
 	"github.com/miekg/dns"
@@ -9,6 +8,7 @@ import (
 	"github.com/stretchr/testify/mock"
 
 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/dns/test"
 )
 
 // TestHandlerChain_ServeDNS_Priorities tests that handlers are executed in priority order
@@ -30,7 +30,7 @@ func TestHandlerChain_ServeDNS_Priorities(t *testing.T) {
 	r.SetQuestion("example.com.", dns.TypeA)
 
 	// Create test writer
-	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 
 	// Setup expectations - only highest priority handler should be called
 	dnsRouteHandler.On("ServeDNS", mock.Anything, r).Once()
@@ -142,7 +142,7 @@ func TestHandlerChain_ServeDNS_DomainMatching(t *testing.T) {
 
 			r := new(dns.Msg)
 			r.SetQuestion(tt.queryDomain, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 
 			chain.ServeDNS(w, r)
 
@@ -259,7 +259,7 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 			// Create and execute request
 			r := new(dns.Msg)
 			r.SetQuestion(tt.queryDomain, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 			chain.ServeDNS(w, r)
 
 			// Verify expectations
@@ -316,7 +316,7 @@ func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
 	}).Once()
 
 	// Execute
-	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	chain.ServeDNS(w, r)
 
 	// Verify all handlers were called in order
@@ -325,20 +325,6 @@ func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
 	handler3.AssertExpectations(t)
 }
 
-// mockResponseWriter implements dns.ResponseWriter for testing
-type mockResponseWriter struct {
-	mock.Mock
-}
-
-func (m *mockResponseWriter) LocalAddr() net.Addr       { return nil }
-func (m *mockResponseWriter) RemoteAddr() net.Addr      { return nil }
-func (m *mockResponseWriter) WriteMsg(*dns.Msg) error   { return nil }
-func (m *mockResponseWriter) Write([]byte) (int, error) { return 0, nil }
-func (m *mockResponseWriter) Close() error              { return nil }
-func (m *mockResponseWriter) TsigStatus() error         { return nil }
-func (m *mockResponseWriter) TsigTimersOnly(bool)       {}
-func (m *mockResponseWriter) Hijack()                   {}
-
 func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 	tests := []struct {
 		name string
@@ -425,7 +411,7 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 			// Create test request
 			r := new(dns.Msg)
 			r.SetQuestion(tt.query, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 
 			// Setup expectations
 			for priority, handler := range handlers {
@@ -471,7 +457,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	chain.AddHandler(testDomain, matchHandler, nbdns.PriorityMatchDomain)
 
 	// Test 1: Initial state
-	w1 := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	w1 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	// Highest priority handler (routeHandler) should be called
 	routeHandler.On("ServeDNS", mock.Anything, r).Return().Once()
 	matchHandler.On("ServeDNS", mock.Anything, r).Maybe()   // Ensure others are not expected yet
@@ -490,7 +476,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	// Test 2: Remove highest priority handler
 	chain.RemoveHandler(testDomain, nbdns.PriorityDNSRoute)
 
-	w2 := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	w2 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	// Now middle priority handler (matchHandler) should be called
 	matchHandler.On("ServeDNS", mock.Anything, r).Return().Once()
 	defaultHandler.On("ServeDNS", mock.Anything, r).Maybe() // Ensure default is not expected yet
@@ -506,7 +492,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	// Test 3: Remove middle priority handler
 	chain.RemoveHandler(testDomain, nbdns.PriorityMatchDomain)
 
-	w3 := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	w3 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	// Now lowest priority handler (defaultHandler) should be called
 	defaultHandler.On("ServeDNS", mock.Anything, r).Return().Once()
 
@@ -519,7 +505,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	// Test 4: Remove last handler
 	chain.RemoveHandler(testDomain, nbdns.PriorityDefault)
 
-	w4 := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	w4 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	chain.ServeDNS(w4, r) // Call ServeDNS on the now empty chain for this domain
 
 	for _, m := range mocks {
@@ -675,7 +661,7 @@ func TestHandlerChain_CaseSensitivity(t *testing.T) {
 			// Execute request
 			r := new(dns.Msg)
 			r.SetQuestion(tt.query, dns.TypeA)
-			chain.ServeDNS(&mockResponseWriter{}, r)
+			chain.ServeDNS(&test.MockResponseWriter{}, r)
 
 			// Verify each handler was called exactly as expected
 			for _, h := range tt.addHandlers {
@@ -819,7 +805,7 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 
 			r := new(dns.Msg)
 			r.SetQuestion(tt.query, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 
 			// Setup handler expectations
 			for pattern, handler := range handlers {
@@ -969,7 +955,7 @@ func TestHandlerChain_AddRemoveRoundtrip(t *testing.T) {
 			handler := &nbdns.MockHandler{}
 			r := new(dns.Msg)
 			r.SetQuestion(tt.queryPattern, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 
 			// First verify no handler is called before adding any
 			chain.ServeDNS(w, r)

client/internal/dns/host_windows.go

@@ -1,11 +1,14 @@
 package dns
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"io"
+	"os/exec"
 	"strings"
 	"syscall"
+	"time"
 
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
@@ -41,6 +44,20 @@ const (
 	interfaceConfigNameServerKey = "NameServer"
 	interfaceConfigSearchListKey = "SearchList"
 
+	// Network interface DNS registration settings
+	disableDynamicUpdateKey           = "DisableDynamicUpdate"
+	registrationEnabledKey            = "RegistrationEnabled"
+	maxNumberOfAddressesToRegisterKey = "MaxNumberOfAddressesToRegister"
+
+	// NetBIOS/WINS settings
+	netbtInterfacePath = `SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces`
+	netbiosOptionsKey  = "NetbiosOptions"
+
+	// NetBIOS option values: 0 = from DHCP, 1 = enabled, 2 = disabled
+	netbiosFromDHCP = 0
+	netbiosEnabled  = 1
+	netbiosDisabled = 2
+
 	// RP_FORCE: Reapply all policies even if no policy change was detected
 	rpForce = 0x1
 )
@@ -67,16 +84,85 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 		log.Infof("detected GPO DNS policy configuration, using policy store")
 	}
 
-	return &registryConfigurator{
+	configurator := &registryConfigurator{
 		guid: guid,
 		gpo:  useGPO,
-	}, nil
+	}
+
+	if err := configurator.configureInterface(); err != nil {
+		log.Errorf("failed to configure interface settings: %v", err)
+	}
+
+	return configurator, nil
 }
 
 func (r *registryConfigurator) supportCustomPort() bool {
 	return false
 }
 
+func (r *registryConfigurator) configureInterface() error {
+	var merr *multierror.Error
+
+	if err := r.disableDNSRegistrationForInterface(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("disable DNS registration: %w", err))
+	}
+
+	if err := r.disableWINSForInterface(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("disable WINS: %w", err))
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *registryConfigurator) disableDNSRegistrationForInterface() error {
+	regKey, err := r.getInterfaceRegistryKey()
+	if err != nil {
+		return fmt.Errorf("get interface registry key: %w", err)
+	}
+	defer closer(regKey)
+
+	var merr *multierror.Error
+
+	if err := regKey.SetDWordValue(disableDynamicUpdateKey, 1); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("set %s: %w", disableDynamicUpdateKey, err))
+	}
+
+	if err := regKey.SetDWordValue(registrationEnabledKey, 0); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("set %s: %w", registrationEnabledKey, err))
+	}
+
+	if err := regKey.SetDWordValue(maxNumberOfAddressesToRegisterKey, 0); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("set %s: %w", maxNumberOfAddressesToRegisterKey, err))
+	}
+
+	if merr == nil || len(merr.Errors) == 0 {
+		log.Infof("disabled DNS registration for interface %s", r.guid)
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *registryConfigurator) disableWINSForInterface() error {
+	netbtKeyPath := fmt.Sprintf(`%s\Tcpip_%s`, netbtInterfacePath, r.guid)
+
+	regKey, err := registry.OpenKey(registry.LOCAL_MACHINE, netbtKeyPath, registry.SET_VALUE)
+	if err != nil {
+		regKey, _, err = registry.CreateKey(registry.LOCAL_MACHINE, netbtKeyPath, registry.SET_VALUE)
+		if err != nil {
+			return fmt.Errorf("create NetBT interface key %s: %w", netbtKeyPath, err)
+		}
+	}
+	defer closer(regKey)
+
+	// NetbiosOptions: 2 = disabled
+	if err := regKey.SetDWordValue(netbiosOptionsKey, netbiosDisabled); err != nil {
+		return fmt.Errorf("set %s: %w", netbiosOptionsKey, err)
+	}
+
+	log.Infof("disabled WINS/NetBIOS for interface %s", r.guid)
+	return nil
+}
+
 func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
 	if config.RouteAll {
 		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
@@ -119,9 +205,7 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		return fmt.Errorf("update search domains: %w", err)
 	}
 
-	if err := r.flushDNSCache(); err != nil {
+	go r.flushDNSCache()
-		log.Errorf("failed to flush DNS cache: %v", err)
-	}
 
 	return nil
 }
@@ -191,7 +275,25 @@ func (r *registryConfigurator) string() string {
 	return "registry"
 }
 
-func (r *registryConfigurator) flushDNSCache() error {
+func (r *registryConfigurator) registerDNS() {
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+	defer cancel()
+
+	// nolint:misspell
+	cmd := exec.CommandContext(ctx, "ipconfig", "/registerdns")
+	out, err := cmd.CombinedOutput()
+
+	if err != nil {
+		log.Errorf("failed to register DNS: %v, output: %s", err, out)
+		return
+	}
+
+	log.Info("registered DNS names")
+}
+
+func (r *registryConfigurator) flushDNSCache() {
+	r.registerDNS()
+
 	// dnsFlushResolverCacheFn.Call() may panic if the func is not found
 	defer func() {
 		if rec := recover(); rec != nil {
@@ -202,13 +304,14 @@ func (r *registryConfigurator) flushDNSCache() error {
 	ret, _, err := dnsFlushResolverCacheFn.Call()
 	if ret == 0 {
 		if err != nil && !errors.Is(err, syscall.Errno(0)) {
-			return fmt.Errorf("DnsFlushResolverCache failed: %w", err)
+			log.Errorf("DnsFlushResolverCache failed: %v", err)
+			return
 		}
-		return fmt.Errorf("DnsFlushResolverCache failed")
+		log.Errorf("DnsFlushResolverCache failed")
+		return
 	}
 
 	log.Info("flushed DNS cache")
-	return nil
 }
 
 func (r *registryConfigurator) updateSearchDomains(domains []string) error {
@@ -263,9 +366,7 @@ func (r *registryConfigurator) restoreHostDNS() error {
 		return fmt.Errorf("remove interface registry key: %w", err)
 	}
 
-	if err := r.flushDNSCache(); err != nil {
+	go r.flushDNSCache()
-		log.Errorf("failed to flush DNS cache: %v", err)
-	}
 
 	return nil
 }

client/internal/dns/local.go

@@ -1,130 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"strings"
-	"sync"
-
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-)
-
-type registrationMap map[string]struct{}
-
-type localResolver struct {
-	registeredMap registrationMap
-	records       sync.Map // key: string (domain_class_type), value: []dns.RR
-}
-
-func (d *localResolver) MatchSubdomains() bool {
-	return true
-}
-
-func (d *localResolver) stop() {
-}
-
-// String returns a string representation of the local resolver
-func (d *localResolver) String() string {
-	return fmt.Sprintf("local resolver [%d records]", len(d.registeredMap))
-}
-
-// ID returns the unique handler ID
-func (d *localResolver) id() handlerID {
-	return "local-resolver"
-}
-
-// ServeDNS handles a DNS request
-func (d *localResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	if len(r.Question) > 0 {
-		log.Tracef("received local question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
-	}
-
-	replyMessage := &dns.Msg{}
-	replyMessage.SetReply(r)
-	replyMessage.RecursionAvailable = true
-
-	// lookup all records matching the question
-	records := d.lookupRecords(r)
-	if len(records) > 0 {
-		replyMessage.Rcode = dns.RcodeSuccess
-		replyMessage.Answer = append(replyMessage.Answer, records...)
-	} else {
-		replyMessage.Rcode = dns.RcodeNameError
-	}
-
-	err := w.WriteMsg(replyMessage)
-	if err != nil {
-		log.Debugf("got an error while writing the local resolver response, error: %v", err)
-	}
-}
-
-// lookupRecords fetches *all* DNS records matching the first question in r.
-func (d *localResolver) lookupRecords(r *dns.Msg) []dns.RR {
-	if len(r.Question) == 0 {
-		return nil
-	}
-	question := r.Question[0]
-	question.Name = strings.ToLower(question.Name)
-	key := buildRecordKey(question.Name, question.Qclass, question.Qtype)
-
-	value, found := d.records.Load(key)
-	if !found {
-		// alternatively check if we have a cname
-		if question.Qtype != dns.TypeCNAME {
-			r.Question[0].Qtype = dns.TypeCNAME
-			return d.lookupRecords(r)
-		}
-
-		return nil
-	}
-
-	records, ok := value.([]dns.RR)
-	if !ok {
-		log.Errorf("failed to cast records to []dns.RR, records: %v", value)
-		return nil
-	}
-
-	// if there's more than one record, rotate them (round-robin)
-	if len(records) > 1 {
-		first := records[0]
-		records = append(records[1:], first)
-		d.records.Store(key, records)
-	}
-
-	return records
-}
-
-// registerRecord stores a new record by appending it to any existing list
-func (d *localResolver) registerRecord(record nbdns.SimpleRecord) (string, error) {
-	rr, err := dns.NewRR(record.String())
-	if err != nil {
-		return "", fmt.Errorf("register record: %w", err)
-	}
-
-	rr.Header().Rdlength = record.Len()
-	header := rr.Header()
-	key := buildRecordKey(header.Name, header.Class, header.Rrtype)
-
-	// load any existing slice of records, then append
-	existing, _ := d.records.LoadOrStore(key, []dns.RR{})
-	records := existing.([]dns.RR)
-	records = append(records, rr)
-
-	// store updated slice
-	d.records.Store(key, records)
-	return key, nil
-}
-
-// deleteRecord removes *all* records under the recordKey.
-func (d *localResolver) deleteRecord(recordKey string) {
-	d.records.Delete(dns.Fqdn(recordKey))
-}
-
-// buildRecordKey consistently generates a key: name_class_type
-func buildRecordKey(name string, class, qType uint16) string {
-	return fmt.Sprintf("%s_%d_%d", dns.Fqdn(name), class, qType)
-}
-
-func (d *localResolver) probeAvailability() {}

client/internal/dns/local/local.go

@@ -0,0 +1,149 @@
+package local
+
+import (
+	"fmt"
+	"slices"
+	"strings"
+	"sync"
+
+	"github.com/miekg/dns"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/exp/maps"
+
+	"github.com/netbirdio/netbird/client/internal/dns/types"
+	nbdns "github.com/netbirdio/netbird/dns"
+)
+
+type Resolver struct {
+	mu      sync.RWMutex
+	records map[dns.Question][]dns.RR
+}
+
+func NewResolver() *Resolver {
+	return &Resolver{
+		records: make(map[dns.Question][]dns.RR),
+	}
+}
+
+func (d *Resolver) MatchSubdomains() bool {
+	return true
+}
+
+// String returns a string representation of the local resolver
+func (d *Resolver) String() string {
+	return fmt.Sprintf("local resolver [%d records]", len(d.records))
+}
+
+func (d *Resolver) Stop() {}
+
+// ID returns the unique handler ID
+func (d *Resolver) ID() types.HandlerID {
+	return "local-resolver"
+}
+
+func (d *Resolver) ProbeAvailability() {}
+
+// ServeDNS handles a DNS request
+func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	if len(r.Question) == 0 {
+		log.Debugf("received local resolver request with no question")
+		return
+	}
+	question := r.Question[0]
+	question.Name = strings.ToLower(dns.Fqdn(question.Name))
+
+	log.Tracef("received local question: domain=%s type=%v class=%v", r.Question[0].Name, question.Qtype, question.Qclass)
+
+	replyMessage := &dns.Msg{}
+	replyMessage.SetReply(r)
+	replyMessage.RecursionAvailable = true
+
+	// lookup all records matching the question
+	records := d.lookupRecords(question)
+	if len(records) > 0 {
+		replyMessage.Rcode = dns.RcodeSuccess
+		replyMessage.Answer = append(replyMessage.Answer, records...)
+	} else {
+		// TODO: return success if we have a different record type for the same name, relevant for search domains
+		replyMessage.Rcode = dns.RcodeNameError
+	}
+
+	if err := w.WriteMsg(replyMessage); err != nil {
+		log.Warnf("failed to write the local resolver response: %v", err)
+	}
+}
+
+// lookupRecords fetches *all* DNS records matching the first question in r.
+func (d *Resolver) lookupRecords(question dns.Question) []dns.RR {
+	d.mu.RLock()
+	records, found := d.records[question]
+
+	if !found {
+		d.mu.RUnlock()
+		// alternatively check if we have a cname
+		if question.Qtype != dns.TypeCNAME {
+			question.Qtype = dns.TypeCNAME
+			return d.lookupRecords(question)
+		}
+		return nil
+	}
+
+	recordsCopy := slices.Clone(records)
+	d.mu.RUnlock()
+
+	// if there's more than one record, rotate them (round-robin)
+	if len(recordsCopy) > 1 {
+		d.mu.Lock()
+		records = d.records[question]
+		if len(records) > 1 {
+			first := records[0]
+			records = append(records[1:], first)
+			d.records[question] = records
+		}
+		d.mu.Unlock()
+	}
+
+	return recordsCopy
+}
+
+func (d *Resolver) Update(update []nbdns.SimpleRecord) {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	maps.Clear(d.records)
+
+	for _, rec := range update {
+		if err := d.registerRecord(rec); err != nil {
+			log.Warnf("failed to register the record (%s): %v", rec, err)
+			continue
+		}
+	}
+}
+
+// RegisterRecord stores a new record by appending it to any existing list
+func (d *Resolver) RegisterRecord(record nbdns.SimpleRecord) error {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	return d.registerRecord(record)
+}
+
+// registerRecord performs the registration with the lock already held
+func (d *Resolver) registerRecord(record nbdns.SimpleRecord) error {
+	rr, err := dns.NewRR(record.String())
+	if err != nil {
+		return fmt.Errorf("register record: %w", err)
+	}
+
+	rr.Header().Rdlength = record.Len()
+	header := rr.Header()
+	q := dns.Question{
+		Name:   strings.ToLower(dns.Fqdn(header.Name)),
+		Qtype:  header.Rrtype,
+		Qclass: header.Class,
+	}
+
+	d.records[q] = append(d.records[q], rr)
+
+	return nil
+}

client/internal/dns/local/local_test.go

@@ -0,0 +1,472 @@
+package local
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal/dns/test"
+	nbdns "github.com/netbirdio/netbird/dns"
+)
+
+func TestLocalResolver_ServeDNS(t *testing.T) {
+	recordA := nbdns.SimpleRecord{
+		Name:  "peera.netbird.cloud.",
+		Type:  1,
+		Class: nbdns.DefaultClass,
+		TTL:   300,
+		RData: "1.2.3.4",
+	}
+
+	recordCNAME := nbdns.SimpleRecord{
+		Name:  "peerb.netbird.cloud.",
+		Type:  5,
+		Class: nbdns.DefaultClass,
+		TTL:   300,
+		RData: "www.netbird.io",
+	}
+
+	testCases := []struct {
+		name                string
+		inputRecord         nbdns.SimpleRecord
+		inputMSG            *dns.Msg
+		responseShouldBeNil bool
+	}{
+		{
+			name:        "Should Resolve A Record",
+			inputRecord: recordA,
+			inputMSG:    new(dns.Msg).SetQuestion(recordA.Name, dns.TypeA),
+		},
+		{
+			name:        "Should Resolve CNAME Record",
+			inputRecord: recordCNAME,
+			inputMSG:    new(dns.Msg).SetQuestion(recordCNAME.Name, dns.TypeCNAME),
+		},
+		{
+			name:                "Should Not Write When Not Found A Record",
+			inputRecord:         recordA,
+			inputMSG:            new(dns.Msg).SetQuestion("not.found.com", dns.TypeA),
+			responseShouldBeNil: true,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			resolver := NewResolver()
+			_ = resolver.RegisterRecord(testCase.inputRecord)
+			var responseMSG *dns.Msg
+			responseWriter := &test.MockResponseWriter{
+				WriteMsgFunc: func(m *dns.Msg) error {
+					responseMSG = m
+					return nil
+				},
+			}
+
+			resolver.ServeDNS(responseWriter, testCase.inputMSG)
+
+			if responseMSG == nil || len(responseMSG.Answer) == 0 {
+				if testCase.responseShouldBeNil {
+					return
+				}
+				t.Fatalf("should write a response message")
+			}
+
+			answerString := responseMSG.Answer[0].String()
+			if !strings.Contains(answerString, testCase.inputRecord.Name) {
+				t.Fatalf("answer doesn't contain the same domain name: \nWant: %s\nGot:%s", testCase.name, answerString)
+			}
+			if !strings.Contains(answerString, dns.Type(testCase.inputRecord.Type).String()) {
+				t.Fatalf("answer doesn't contain the correct type: \nWant: %s\nGot:%s", dns.Type(testCase.inputRecord.Type).String(), answerString)
+			}
+			if !strings.Contains(answerString, testCase.inputRecord.RData) {
+				t.Fatalf("answer doesn't contain the same address: \nWant: %s\nGot:%s", testCase.inputRecord.RData, answerString)
+			}
+		})
+	}
+}
+
+// TestLocalResolver_Update_StaleRecord verifies that updating
+// a record correctly replaces the old one, preventing stale entries.
+func TestLocalResolver_Update_StaleRecord(t *testing.T) {
+	recordName := "host.example.com."
+	recordType := dns.TypeA
+	recordClass := dns.ClassINET
+
+	record1 := nbdns.SimpleRecord{
+		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "1.1.1.1",
+	}
+	record2 := nbdns.SimpleRecord{
+		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "2.2.2.2",
+	}
+
+	recordKey := dns.Question{Name: recordName, Qtype: uint16(recordClass), Qclass: recordType}
+
+	resolver := NewResolver()
+
+	update1 := []nbdns.SimpleRecord{record1}
+	update2 := []nbdns.SimpleRecord{record2}
+
+	// Apply first update
+	resolver.Update(update1)
+
+	// Verify first update
+	resolver.mu.RLock()
+	rrSlice1, found1 := resolver.records[recordKey]
+	resolver.mu.RUnlock()
+
+	require.True(t, found1, "Record key %s not found after first update", recordKey)
+	require.Len(t, rrSlice1, 1, "Should have exactly 1 record after first update")
+	assert.Contains(t, rrSlice1[0].String(), record1.RData, "Record after first update should be %s", record1.RData)
+
+	// Apply second update
+	resolver.Update(update2)
+
+	// Verify second update
+	resolver.mu.RLock()
+	rrSlice2, found2 := resolver.records[recordKey]
+	resolver.mu.RUnlock()
+
+	require.True(t, found2, "Record key %s not found after second update", recordKey)
+	require.Len(t, rrSlice2, 1, "Should have exactly 1 record after update overwriting the key")
+	assert.Contains(t, rrSlice2[0].String(), record2.RData, "The single record should be the updated one (%s)", record2.RData)
+	assert.NotContains(t, rrSlice2[0].String(), record1.RData, "The stale record (%s) should not be present", record1.RData)
+}
+
+// TestLocalResolver_MultipleRecords_SameQuestion verifies that multiple records
+// with the same question are stored properly
+func TestLocalResolver_MultipleRecords_SameQuestion(t *testing.T) {
+	resolver := NewResolver()
+
+	recordName := "multi.example.com."
+	recordType := dns.TypeA
+
+	// Create two records with the same name and type but different IPs
+	record1 := nbdns.SimpleRecord{
+		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1",
+	}
+	record2 := nbdns.SimpleRecord{
+		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.2",
+	}
+
+	update := []nbdns.SimpleRecord{record1, record2}
+
+	// Apply update with both records
+	resolver.Update(update)
+
+	// Create question that matches both records
+	question := dns.Question{
+		Name:   recordName,
+		Qtype:  recordType,
+		Qclass: dns.ClassINET,
+	}
+
+	// Verify both records are stored
+	resolver.mu.RLock()
+	records, found := resolver.records[question]
+	resolver.mu.RUnlock()
+
+	require.True(t, found, "Records for question %v not found", question)
+	require.Len(t, records, 2, "Should have exactly 2 records for the same question")
+
+	// Verify both record data values are present
+	recordStrings := []string{records[0].String(), records[1].String()}
+	assert.Contains(t, recordStrings[0]+recordStrings[1], record1.RData, "First record data should be present")
+	assert.Contains(t, recordStrings[0]+recordStrings[1], record2.RData, "Second record data should be present")
+}
+
+// TestLocalResolver_RecordRotation verifies that records are rotated in a round-robin fashion
+func TestLocalResolver_RecordRotation(t *testing.T) {
+	resolver := NewResolver()
+
+	recordName := "rotation.example.com."
+	recordType := dns.TypeA
+
+	// Create three records with the same name and type but different IPs
+	record1 := nbdns.SimpleRecord{
+		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "192.168.1.1",
+	}
+	record2 := nbdns.SimpleRecord{
+		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "192.168.1.2",
+	}
+	record3 := nbdns.SimpleRecord{
+		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "192.168.1.3",
+	}
+
+	update := []nbdns.SimpleRecord{record1, record2, record3}
+
+	// Apply update with all three records
+	resolver.Update(update)
+
+	msg := new(dns.Msg).SetQuestion(recordName, recordType)
+
+	// First lookup - should return the records in original order
+	var responses [3]*dns.Msg
+
+	// Perform three lookups to verify rotation
+	for i := 0; i < 3; i++ {
+		responseWriter := &test.MockResponseWriter{
+			WriteMsgFunc: func(m *dns.Msg) error {
+				responses[i] = m
+				return nil
+			},
+		}
+
+		resolver.ServeDNS(responseWriter, msg)
+	}
+
+	// Verify all three responses contain answers
+	for i, resp := range responses {
+		require.NotNil(t, resp, "Response %d should not be nil", i)
+		require.Len(t, resp.Answer, 3, "Response %d should have 3 answers", i)
+	}
+
+	// Verify the first record in each response is different due to rotation
+	firstRecordIPs := []string{
+		responses[0].Answer[0].String(),
+		responses[1].Answer[0].String(),
+		responses[2].Answer[0].String(),
+	}
+
+	// Each record should be different (rotated)
+	assert.NotEqual(t, firstRecordIPs[0], firstRecordIPs[1], "First lookup should differ from second lookup due to rotation")
+	assert.NotEqual(t, firstRecordIPs[1], firstRecordIPs[2], "Second lookup should differ from third lookup due to rotation")
+	assert.NotEqual(t, firstRecordIPs[0], firstRecordIPs[2], "First lookup should differ from third lookup due to rotation")
+
+	// After three rotations, we should have cycled through all records
+	assert.Contains(t, firstRecordIPs[0]+firstRecordIPs[1]+firstRecordIPs[2], record1.RData)
+	assert.Contains(t, firstRecordIPs[0]+firstRecordIPs[1]+firstRecordIPs[2], record2.RData)
+	assert.Contains(t, firstRecordIPs[0]+firstRecordIPs[1]+firstRecordIPs[2], record3.RData)
+}
+
+// TestLocalResolver_CaseInsensitiveMatching verifies that DNS record lookups are case-insensitive
+func TestLocalResolver_CaseInsensitiveMatching(t *testing.T) {
+	resolver := NewResolver()
+
+	// Create record with lowercase name
+	lowerCaseRecord := nbdns.SimpleRecord{
+		Name:  "lower.example.com.",
+		Type:  int(dns.TypeA),
+		Class: nbdns.DefaultClass,
+		TTL:   300,
+		RData: "10.10.10.10",
+	}
+
+	// Create record with mixed case name
+	mixedCaseRecord := nbdns.SimpleRecord{
+		Name:  "MiXeD.ExAmPlE.CoM.",
+		Type:  int(dns.TypeA),
+		Class: nbdns.DefaultClass,
+		TTL:   300,
+		RData: "20.20.20.20",
+	}
+
+	// Update resolver with the records
+	resolver.Update([]nbdns.SimpleRecord{lowerCaseRecord, mixedCaseRecord})
+
+	testCases := []struct {
+		name          string
+		queryName     string
+		expectedRData string
+		shouldResolve bool
+	}{
+		{
+			name:          "Query lowercase with lowercase record",
+			queryName:     "lower.example.com.",
+			expectedRData: "10.10.10.10",
+			shouldResolve: true,
+		},
+		{
+			name:          "Query uppercase with lowercase record",
+			queryName:     "LOWER.EXAMPLE.COM.",
+			expectedRData: "10.10.10.10",
+			shouldResolve: true,
+		},
+		{
+			name:          "Query mixed case with lowercase record",
+			queryName:     "LoWeR.eXaMpLe.CoM.",
+			expectedRData: "10.10.10.10",
+			shouldResolve: true,
+		},
+		{
+			name:          "Query lowercase with mixed case record",
+			queryName:     "mixed.example.com.",
+			expectedRData: "20.20.20.20",
+			shouldResolve: true,
+		},
+		{
+			name:          "Query uppercase with mixed case record",
+			queryName:     "MIXED.EXAMPLE.COM.",
+			expectedRData: "20.20.20.20",
+			shouldResolve: true,
+		},
+		{
+			name:          "Query with different casing pattern",
+			queryName:     "mIxEd.ExaMpLe.cOm.",
+			expectedRData: "20.20.20.20",
+			shouldResolve: true,
+		},
+		{
+			name:          "Query non-existent domain",
+			queryName:     "nonexistent.example.com.",
+			shouldResolve: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var responseMSG *dns.Msg
+
+			// Create DNS query with the test case name
+			msg := new(dns.Msg).SetQuestion(tc.queryName, dns.TypeA)
+
+			// Create mock response writer to capture the response
+			responseWriter := &test.MockResponseWriter{
+				WriteMsgFunc: func(m *dns.Msg) error {
+					responseMSG = m
+					return nil
+				},
+			}
+
+			// Perform DNS query
+			resolver.ServeDNS(responseWriter, msg)
+
+			// Check if we expect a successful resolution
+			if !tc.shouldResolve {
+				if responseMSG == nil || len(responseMSG.Answer) == 0 {
+					// Expected no answer, test passes
+					return
+				}
+				t.Fatalf("Expected no resolution for %s, but got answer: %v", tc.queryName, responseMSG.Answer)
+			}
+
+			// Verify we got a response
+			require.NotNil(t, responseMSG, "Should have received a response message")
+			require.Greater(t, len(responseMSG.Answer), 0, "Response should contain at least one answer")
+
+			// Verify the response contains the expected data
+			answerString := responseMSG.Answer[0].String()
+			assert.Contains(t, answerString, tc.expectedRData,
+				"Answer should contain the expected IP address %s, got: %s",
+				tc.expectedRData, answerString)
+		})
+	}
+}
+
+// TestLocalResolver_CNAMEFallback verifies that the resolver correctly falls back
+// to checking for CNAME records when the requested record type isn't found
+func TestLocalResolver_CNAMEFallback(t *testing.T) {
+	resolver := NewResolver()
+
+	// Create a CNAME record (but no A record for this name)
+	cnameRecord := nbdns.SimpleRecord{
+		Name:  "alias.example.com.",
+		Type:  int(dns.TypeCNAME),
+		Class: nbdns.DefaultClass,
+		TTL:   300,
+		RData: "target.example.com.",
+	}
+
+	// Create an A record for the CNAME target
+	targetRecord := nbdns.SimpleRecord{
+		Name:  "target.example.com.",
+		Type:  int(dns.TypeA),
+		Class: nbdns.DefaultClass,
+		TTL:   300,
+		RData: "192.168.100.100",
+	}
+
+	// Update resolver with both records
+	resolver.Update([]nbdns.SimpleRecord{cnameRecord, targetRecord})
+
+	testCases := []struct {
+		name          string
+		queryName     string
+		queryType     uint16
+		expectedType  string
+		expectedRData string
+		shouldResolve bool
+	}{
+		{
+			name:          "Directly query CNAME record",
+			queryName:     "alias.example.com.",
+			queryType:     dns.TypeCNAME,
+			expectedType:  "CNAME",
+			expectedRData: "target.example.com.",
+			shouldResolve: true,
+		},
+		{
+			name:          "Query A record but get CNAME fallback",
+			queryName:     "alias.example.com.",
+			queryType:     dns.TypeA,
+			expectedType:  "CNAME",
+			expectedRData: "target.example.com.",
+			shouldResolve: true,
+		},
+		{
+			name:          "Query AAAA record but get CNAME fallback",
+			queryName:     "alias.example.com.",
+			queryType:     dns.TypeAAAA,
+			expectedType:  "CNAME",
+			expectedRData: "target.example.com.",
+			shouldResolve: true,
+		},
+		{
+			name:          "Query direct A record",
+			queryName:     "target.example.com.",
+			queryType:     dns.TypeA,
+			expectedType:  "A",
+			expectedRData: "192.168.100.100",
+			shouldResolve: true,
+		},
+		{
+			name:          "Query non-existent name",
+			queryName:     "nonexistent.example.com.",
+			queryType:     dns.TypeA,
+			shouldResolve: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var responseMSG *dns.Msg
+
+			// Create DNS query with the test case parameters
+			msg := new(dns.Msg).SetQuestion(tc.queryName, tc.queryType)
+
+			// Create mock response writer to capture the response
+			responseWriter := &test.MockResponseWriter{
+				WriteMsgFunc: func(m *dns.Msg) error {
+					responseMSG = m
+					return nil
+				},
+			}
+
+			// Perform DNS query
+			resolver.ServeDNS(responseWriter, msg)
+
+			// Check if we expect a successful resolution
+			if !tc.shouldResolve {
+				if responseMSG == nil || len(responseMSG.Answer) == 0 || responseMSG.Rcode != dns.RcodeSuccess {
+					// Expected no resolution, test passes
+					return
+				}
+				t.Fatalf("Expected no resolution for %s, but got answer: %v", tc.queryName, responseMSG.Answer)
+			}
+
+			// Verify we got a successful response
+			require.NotNil(t, responseMSG, "Should have received a response message")
+			require.Equal(t, dns.RcodeSuccess, responseMSG.Rcode, "Response should have success status code")
+			require.Greater(t, len(responseMSG.Answer), 0, "Response should contain at least one answer")
+
+			// Verify the response contains the expected data
+			answerString := responseMSG.Answer[0].String()
+			assert.Contains(t, answerString, tc.expectedType,
+				"Answer should be of type %s, got: %s", tc.expectedType, answerString)
+			assert.Contains(t, answerString, tc.expectedRData,
+				"Answer should contain the expected data %s, got: %s", tc.expectedRData, answerString)
+		})
+	}
+}

client/internal/dns/local_test.go

@@ -1,88 +0,0 @@
-package dns
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/miekg/dns"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-)
-
-func TestLocalResolver_ServeDNS(t *testing.T) {
-	recordA := nbdns.SimpleRecord{
-		Name:  "peera.netbird.cloud.",
-		Type:  1,
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "1.2.3.4",
-	}
-
-	recordCNAME := nbdns.SimpleRecord{
-		Name:  "peerb.netbird.cloud.",
-		Type:  5,
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "www.netbird.io",
-	}
-
-	testCases := []struct {
-		name                string
-		inputRecord         nbdns.SimpleRecord
-		inputMSG            *dns.Msg
-		responseShouldBeNil bool
-	}{
-		{
-			name:        "Should Resolve A Record",
-			inputRecord: recordA,
-			inputMSG:    new(dns.Msg).SetQuestion(recordA.Name, dns.TypeA),
-		},
-		{
-			name:        "Should Resolve CNAME Record",
-			inputRecord: recordCNAME,
-			inputMSG:    new(dns.Msg).SetQuestion(recordCNAME.Name, dns.TypeCNAME),
-		},
-		{
-			name:                "Should Not Write When Not Found A Record",
-			inputRecord:         recordA,
-			inputMSG:            new(dns.Msg).SetQuestion("not.found.com", dns.TypeA),
-			responseShouldBeNil: true,
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			resolver := &localResolver{
-				registeredMap: make(registrationMap),
-			}
-			_, _ = resolver.registerRecord(testCase.inputRecord)
-			var responseMSG *dns.Msg
-			responseWriter := &mockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-
-			resolver.ServeDNS(responseWriter, testCase.inputMSG)
-
-			if responseMSG == nil || len(responseMSG.Answer) == 0 {
-				if testCase.responseShouldBeNil {
-					return
-				}
-				t.Fatalf("should write a response message")
-			}
-
-			answerString := responseMSG.Answer[0].String()
-			if !strings.Contains(answerString, testCase.inputRecord.Name) {
-				t.Fatalf("answer doesn't contain the same domain name: \nWant: %s\nGot:%s", testCase.name, answerString)
-			}
-			if !strings.Contains(answerString, dns.Type(testCase.inputRecord.Type).String()) {
-				t.Fatalf("answer doesn't contain the correct type: \nWant: %s\nGot:%s", dns.Type(testCase.inputRecord.Type).String(), answerString)
-			}
-			if !strings.Contains(answerString, testCase.inputRecord.RData) {
-				t.Fatalf("answer doesn't contain the same address: \nWant: %s\nGot:%s", testCase.inputRecord.RData, answerString)
-			}
-		})
-	}
-}

client/internal/dns/mock_test.go

@@ -1,26 +0,0 @@
-package dns
-
-import (
-	"net"
-
-	"github.com/miekg/dns"
-)
-
-type mockResponseWriter struct {
-	WriteMsgFunc func(m *dns.Msg) error
-}
-
-func (rw *mockResponseWriter) WriteMsg(m *dns.Msg) error {
-	if rw.WriteMsgFunc != nil {
-		return rw.WriteMsgFunc(m)
-	}
-	return nil
-}
-
-func (rw *mockResponseWriter) LocalAddr() net.Addr       { return nil }
-func (rw *mockResponseWriter) RemoteAddr() net.Addr      { return nil }
-func (rw *mockResponseWriter) Write([]byte) (int, error) { return 0, nil }
-func (rw *mockResponseWriter) Close() error              { return nil }
-func (rw *mockResponseWriter) TsigStatus() error         { return nil }
-func (rw *mockResponseWriter) TsigTimersOnly(bool)       {}
-func (rw *mockResponseWriter) Hijack()                   {}

client/internal/dns/server.go

@@ -15,6 +15,8 @@ import (
 	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/client/iface/netstack"
+	"github.com/netbirdio/netbird/client/internal/dns/local"
+	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -46,8 +48,6 @@ type Server interface {
 	ProbeAvailability()
 }
 
-type handlerID string
-
 type nsGroupsByDomain struct {
 	domain string
 	groups []*nbdns.NameServerGroup
@@ -61,7 +61,7 @@ type DefaultServer struct {
 	mux                sync.Mutex
 	service            service
 	dnsMuxMap          registeredHandlerMap
-	localResolver      *localResolver
+	localResolver      *local.Resolver
 	wgInterface        WGIface
 	hostManager        hostManager
 	updateSerial       uint64
@@ -84,9 +84,9 @@ type DefaultServer struct {
 
 type handlerWithStop interface {
 	dns.Handler
-	stop()
+	Stop()
-	probeAvailability()
+	ProbeAvailability()
-	id() handlerID
+	ID() types.HandlerID
 }
 
 type handlerWrapper struct {
@@ -95,7 +95,7 @@ type handlerWrapper struct {
 	priority int
 }
 
-type registeredHandlerMap map[handlerID]handlerWrapper
+type registeredHandlerMap map[types.HandlerID]handlerWrapper
 
 // NewDefaultServer returns a new dns server
 func NewDefaultServer(
@@ -178,9 +178,7 @@ func newDefaultServer(
 		handlerChain:   handlerChain,
 		extraDomains:   make(map[domain.Domain]int),
 		dnsMuxMap:      make(registeredHandlerMap),
-		localResolver: &localResolver{
+		localResolver:  local.NewResolver(),
-			registeredMap: make(registrationMap),
-		},
 		wgInterface:    wgInterface,
 		statusRecorder: statusRecorder,
 		stateManager:   stateManager,
@@ -403,7 +401,7 @@ func (s *DefaultServer) ProbeAvailability() {
 		wg.Add(1)
 		go func(mux handlerWithStop) {
 			defer wg.Done()
-			mux.probeAvailability()
+			mux.ProbeAvailability()
 		}(mux.handler)
 	}
 	wg.Wait()
@@ -420,7 +418,7 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 		s.service.Stop()
 	}
 
-	localMuxUpdates, localRecordsByDomain, err := s.buildLocalHandlerUpdate(update.CustomZones)
+	localMuxUpdates, localRecords, err := s.buildLocalHandlerUpdate(update.CustomZones)
 	if err != nil {
 		return fmt.Errorf("local handler updater: %w", err)
 	}
@@ -434,7 +432,7 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	s.updateMux(muxUpdates)
 
 	// register local records
-	s.updateLocalResolver(localRecordsByDomain)
+	s.localResolver.Update(localRecords)
 
 	s.currentConfig = dnsConfigToHostDNSConfig(update, s.service.RuntimeIP(), s.service.RuntimePort())
 
@@ -491,7 +489,7 @@ func (s *DefaultServer) applyHostConfig() {
 		}
 	}
 
-	log.Debugf("extra match domains: %v", s.extraDomains)
+	log.Debugf("extra match domains: %v", maps.Keys(s.extraDomains))
 
 	if err := s.hostManager.applyDNSConfig(config, s.stateManager); err != nil {
 		log.Errorf("failed to apply DNS host manager update: %v", err)
@@ -516,11 +514,9 @@ func (s *DefaultServer) handleErrNoGroupaAll(err error) {
 	)
 }
 
-func (s *DefaultServer) buildLocalHandlerUpdate(
+func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone) ([]handlerWrapper, []nbdns.SimpleRecord, error) {
-	customZones []nbdns.CustomZone,
-) ([]handlerWrapper, map[string][]nbdns.SimpleRecord, error) {
 	var muxUpdates []handlerWrapper
-	localRecords := make(map[string][]nbdns.SimpleRecord)
+	var localRecords []nbdns.SimpleRecord
 
 	for _, customZone := range customZones {
 		if len(customZone.Records) == 0 {
@@ -534,17 +530,13 @@ func (s *DefaultServer) buildLocalHandlerUpdate(
 			priority: PriorityMatchDomain,
 		})
 
-		// group all records under this domain
 		for _, record := range customZone.Records {
-			var class uint16 = dns.ClassINET
 			if record.Class != nbdns.DefaultClass {
 				log.Warnf("received an invalid class type: %s", record.Class)
 				continue
 			}
-
+			// zone records contain the fqdn, so we can just flatten them
-			key := buildRecordKey(record.Name, class, uint16(record.Type))
+			localRecords = append(localRecords, record)
-
-			localRecords[key] = append(localRecords[key], record)
 		}
 	}
 
@@ -627,7 +619,7 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		}
 
 		if len(handler.upstreamServers) == 0 {
-			handler.stop()
+			handler.Stop()
 			log.Errorf("received a nameserver group with an invalid nameserver list")
 			continue
 		}
@@ -656,7 +648,7 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 	// this will introduce a short period of time when the server is not able to handle DNS requests
 	for _, existing := range s.dnsMuxMap {
 		s.deregisterHandler([]string{existing.domain}, existing.priority)
-		existing.handler.stop()
+		existing.handler.Stop()
 	}
 
 	muxUpdateMap := make(registeredHandlerMap)
@@ -667,7 +659,7 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 			containsRootUpdate = true
 		}
 		s.registerHandler([]string{update.domain}, update.handler, update.priority)
-		muxUpdateMap[update.handler.id()] = update
+		muxUpdateMap[update.handler.ID()] = update
 	}
 
 	// If there's no root update and we had a root handler, restore it
@@ -683,33 +675,6 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 	s.dnsMuxMap = muxUpdateMap
 }
 
-func (s *DefaultServer) updateLocalResolver(update map[string][]nbdns.SimpleRecord) {
-	// remove old records that are no longer present
-	for key := range s.localResolver.registeredMap {
-		_, found := update[key]
-		if !found {
-			s.localResolver.deleteRecord(key)
-		}
-	}
-
-	updatedMap := make(registrationMap)
-	for _, recs := range update {
-		for _, rec := range recs {
-			// convert the record to a dns.RR and register
-			key, err := s.localResolver.registerRecord(rec)
-			if err != nil {
-				log.Warnf("got an error while registering the record (%s), error: %v",
-					rec.String(), err)
-				continue
-			}
-
-			updatedMap[key] = struct{}{}
-		}
-	}
-
-	s.localResolver.registeredMap = updatedMap
-}
-
 func getNSHostPort(ns nbdns.NameServer) string {
 	return fmt.Sprintf("%s:%d", ns.IP.String(), ns.Port)
 }

client/internal/dns/server_test.go

@@ -23,6 +23,9 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	pfmock "github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	"github.com/netbirdio/netbird/client/internal/dns/local"
+	"github.com/netbirdio/netbird/client/internal/dns/test"
+	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/netflow"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -43,10 +46,9 @@ func (w *mocWGIface) Name() string {
 }
 
 func (w *mocWGIface) Address() wgaddr.Address {
-	ip, network, _ := net.ParseCIDR("100.66.100.0/24")
 	return wgaddr.Address{
-		IP:      ip,
+		IP:      netip.MustParseAddr("100.66.100.1"),
-		Network: network,
+		Network: netip.MustParsePrefix("100.66.100.0/24"),
 	}
 }
 
@@ -107,6 +109,7 @@ func generateDummyHandler(domain string, servers []nbdns.NameServer) *upstreamRe
 }
 
 func TestUpdateDNSServer(t *testing.T) {
+
 	nameServers := []nbdns.NameServer{
 		{
 			IP:     netip.MustParseAddr("8.8.8.8"),
@@ -120,22 +123,21 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 	}
 
-	dummyHandler := &localResolver{}
+	dummyHandler := local.NewResolver()
 
 	testCases := []struct {
 		name                string
 		initUpstreamMap     registeredHandlerMap
-		initLocalMap        registrationMap
+		initLocalRecords    []nbdns.SimpleRecord
 		initSerial          uint64
 		inputSerial         uint64
 		inputUpdate         nbdns.Config
 		shouldFail          bool
 		expectedUpstreamMap registeredHandlerMap
-		expectedLocalMap    registrationMap
+		expectedLocalQs     []dns.Question
 	}{
 		{
 			name:            "Initial Config Should Succeed",
-			initLocalMap:    make(registrationMap),
 			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
@@ -159,30 +161,30 @@ func TestUpdateDNSServer(t *testing.T) {
 				},
 			},
 			expectedUpstreamMap: registeredHandlerMap{
-				generateDummyHandler("netbird.io", nameServers).id(): handlerWrapper{
+				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
 					domain:   "netbird.io",
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
 				},
-				dummyHandler.id(): handlerWrapper{
+				dummyHandler.ID(): handlerWrapper{
 					domain:   "netbird.cloud",
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
 				},
-				generateDummyHandler(".", nameServers).id(): handlerWrapper{
+				generateDummyHandler(".", nameServers).ID(): handlerWrapper{
 					domain:   nbdns.RootZone,
 					handler:  dummyHandler,
 					priority: PriorityDefault,
 				},
 			},
-			expectedLocalMap: registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
+			expectedLocalQs: []dns.Question{{Name: "peera.netbird.cloud.", Qtype: dns.TypeA, Qclass: dns.ClassINET}},
 		},
 		{
 			name:             "New Config Should Succeed",
-			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
+			initLocalRecords: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: 1, Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}},
 			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
-					domain:   buildRecordKey(zoneRecords[0].Name, 1, 1),
+					domain:   "netbird.cloud",
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
 				},
@@ -205,7 +207,7 @@ func TestUpdateDNSServer(t *testing.T) {
 				},
 			},
 			expectedUpstreamMap: registeredHandlerMap{
-				generateDummyHandler("netbird.io", nameServers).id(): handlerWrapper{
+				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
 					domain:   "netbird.io",
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
@@ -216,11 +218,11 @@ func TestUpdateDNSServer(t *testing.T) {
 					priority: PriorityMatchDomain,
 				},
 			},
-			expectedLocalMap: registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
+			expectedLocalQs: []dns.Question{{Name: zoneRecords[0].Name, Qtype: 1, Qclass: 1}},
 		},
 		{
 			name:             "Smaller Config Serial Should Be Skipped",
-			initLocalMap:    make(registrationMap),
+			initLocalRecords: []nbdns.SimpleRecord{},
 			initUpstreamMap:  make(registeredHandlerMap),
 			initSerial:       2,
 			inputSerial:      1,
@@ -228,7 +230,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 		{
 			name:             "Empty NS Group Domain Or Not Primary Element Should Fail",
-			initLocalMap:    make(registrationMap),
+			initLocalRecords: []nbdns.SimpleRecord{},
 			initUpstreamMap:  make(registeredHandlerMap),
 			initSerial:       0,
 			inputSerial:      1,
@@ -250,7 +252,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 		{
 			name:             "Invalid NS Group Nameservers list Should Fail",
-			initLocalMap:    make(registrationMap),
+			initLocalRecords: []nbdns.SimpleRecord{},
 			initUpstreamMap:  make(registeredHandlerMap),
 			initSerial:       0,
 			inputSerial:      1,
@@ -272,7 +274,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 		{
 			name:             "Invalid Custom Zone Records list Should Skip",
-			initLocalMap:    make(registrationMap),
+			initLocalRecords: []nbdns.SimpleRecord{},
 			initUpstreamMap:  make(registeredHandlerMap),
 			initSerial:       0,
 			inputSerial:      1,
@@ -290,7 +292,7 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).id(): handlerWrapper{
+			expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).ID(): handlerWrapper{
 				domain:   ".",
 				handler:  dummyHandler,
 				priority: PriorityDefault,
@@ -298,9 +300,9 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 		{
 			name:             "Empty Config Should Succeed and Clean Maps",
-			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
+			initLocalRecords: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}},
 			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
@@ -310,13 +312,13 @@ func TestUpdateDNSServer(t *testing.T) {
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: true},
 			expectedUpstreamMap: make(registeredHandlerMap),
-			expectedLocalMap:    make(registrationMap),
+			expectedLocalQs:     []dns.Question{},
 		},
 		{
 			name:             "Disabled Service Should clean map",
-			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
+			initLocalRecords: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}},
 			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
@@ -326,7 +328,7 @@ func TestUpdateDNSServer(t *testing.T) {
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: false},
 			expectedUpstreamMap: make(registeredHandlerMap),
-			expectedLocalMap:    make(registrationMap),
+			expectedLocalQs:     []dns.Question{},
 		},
 	}
 
@@ -377,7 +379,7 @@ func TestUpdateDNSServer(t *testing.T) {
 			}()
 
 			dnsServer.dnsMuxMap = testCase.initUpstreamMap
-			dnsServer.localResolver.registeredMap = testCase.initLocalMap
+			dnsServer.localResolver.Update(testCase.initLocalRecords)
 			dnsServer.updateSerial = testCase.initSerial
 
 			err = dnsServer.UpdateDNSServer(testCase.inputSerial, testCase.inputUpdate)
@@ -399,15 +401,23 @@ func TestUpdateDNSServer(t *testing.T) {
 				}
 			}
 
-			if len(dnsServer.localResolver.registeredMap) != len(testCase.expectedLocalMap) {
+			var responseMSG *dns.Msg
-				t.Fatalf("update local failed, registered map size is different than expected, want %d, got %d", len(testCase.expectedLocalMap), len(dnsServer.localResolver.registeredMap))
+			responseWriter := &test.MockResponseWriter{
+				WriteMsgFunc: func(m *dns.Msg) error {
+					responseMSG = m
+					return nil
+				},
+			}
+			for _, q := range testCase.expectedLocalQs {
+				dnsServer.localResolver.ServeDNS(responseWriter, &dns.Msg{
+					Question: []dns.Question{q},
+				})
 			}
 
-			for key := range testCase.expectedLocalMap {
+			if len(testCase.expectedLocalQs) > 0 {
-				_, found := dnsServer.localResolver.registeredMap[key]
+				assert.NotNil(t, responseMSG, "response message should not be nil")
-				if !found {
+				assert.Equal(t, dns.RcodeSuccess, responseMSG.Rcode, "response code should be success")
-					t.Fatalf("update local failed, key %s was not found in the localResolver.registeredMap: %#v", key, dnsServer.localResolver.registeredMap)
+				assert.NotEmpty(t, responseMSG.Answer, "response message should have answers")
-				}
 			}
 		})
 	}
@@ -453,17 +463,10 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 
-	_, ipNet, err := net.ParseCIDR("100.66.100.1/32")
-	if err != nil {
-		t.Errorf("parse CIDR: %v", err)
-		return
-	}
-
 	packetfilter := pfmock.NewMockPacketFilter(ctrl)
 	packetfilter.EXPECT().DropOutgoing(gomock.Any(), gomock.Any()).AnyTimes()
 	packetfilter.EXPECT().AddUDPPacketHook(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any())
 	packetfilter.EXPECT().RemovePacketHook(gomock.Any())
-	packetfilter.EXPECT().SetNetwork(ipNet)
 
 	if err := wgIface.SetFilter(packetfilter); err != nil {
 		t.Errorf("set packet filter: %v", err)
@@ -491,11 +494,12 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	dnsServer.dnsMuxMap = registeredHandlerMap{
 		"id1": handlerWrapper{
 			domain:   zoneRecords[0].Name,
-			handler:  &localResolver{},
+			handler:  &local.Resolver{},
 			priority: PriorityMatchDomain,
 		},
 	}
-	dnsServer.localResolver.registeredMap = registrationMap{"netbird.cloud": struct{}{}}
+	//dnsServer.localResolver.RegisteredMap = local.RegistrationMap{local.BuildRecordKey("netbird.cloud", dns.ClassINET, dns.TypeA): struct{}{}}
+	dnsServer.localResolver.Update([]nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}})
 	dnsServer.updateSerial = 0
 
 	nameServers := []nbdns.NameServer{
@@ -582,7 +586,7 @@ func TestDNSServerStartStop(t *testing.T) {
 			}
 			time.Sleep(100 * time.Millisecond)
 			defer dnsServer.Stop()
-			_, err = dnsServer.localResolver.registerRecord(zoneRecords[0])
+			err = dnsServer.localResolver.RegisterRecord(zoneRecords[0])
 			if err != nil {
 				t.Error(err)
 			}
@@ -632,9 +636,7 @@ func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 	server := DefaultServer{
 		ctx:           context.Background(),
 		service:       NewServiceViaMemory(&mocWGIface{}),
-		localResolver: &localResolver{
+		localResolver: local.NewResolver(),
-			registeredMap: make(registrationMap),
-		},
 		handlerChain:  NewHandlerChain(),
 		hostManager:   hostManager,
 		currentConfig: HostDNSConfig{
@@ -1004,7 +1006,7 @@ func TestHandlerChain_DomainPriorities(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			r := new(dns.Msg)
 			r.SetQuestion(tc.query, dns.TypeA)
-			w := &ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			w := &ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 
 			if mh, ok := tc.expectedHandler.(*MockHandler); ok {
 				mh.On("ServeDNS", mock.Anything, r).Once()
@@ -1037,9 +1039,9 @@ type mockHandler struct {
 }
 
 func (m *mockHandler) ServeDNS(dns.ResponseWriter, *dns.Msg) {}
-func (m *mockHandler) stop()                                 {}
+func (m *mockHandler) Stop()                                 {}
-func (m *mockHandler) probeAvailability()                    {}
+func (m *mockHandler) ProbeAvailability()                    {}
-func (m *mockHandler) id() handlerID                         { return handlerID(m.Id) }
+func (m *mockHandler) ID() types.HandlerID                   { return types.HandlerID(m.Id) }
 
 type mockService struct{}
 
@@ -1113,7 +1115,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 		name             string
 		initialHandlers  registeredHandlerMap
 		updates          []handlerWrapper
-		expectedHandlers map[string]string // map[handlerID]domain
+		expectedHandlers map[string]string // map[HandlerID]domain
 		description      string
 	}{
 		{
@@ -1409,7 +1411,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 
 			// Check each expected handler
 			for id, expectedDomain := range tt.expectedHandlers {
-				handler, exists := server.dnsMuxMap[handlerID(id)]
+				handler, exists := server.dnsMuxMap[types.HandlerID(id)]
 				assert.True(t, exists, "Expected handler %s not found", id)
 				if exists {
 					assert.Equal(t, expectedDomain, handler.domain,
@@ -1418,9 +1420,9 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 			}
 
 			// Verify no unexpected handlers exist
-			for handlerID := range server.dnsMuxMap {
+			for HandlerID := range server.dnsMuxMap {
-				_, expected := tt.expectedHandlers[string(handlerID)]
+				_, expected := tt.expectedHandlers[string(HandlerID)]
-				assert.True(t, expected, "Unexpected handler found: %s", handlerID)
+				assert.True(t, expected, "Unexpected handler found: %s", HandlerID)
 			}
 
 			// Verify the handlerChain state and order
@@ -1696,7 +1698,7 @@ func TestExtraDomains(t *testing.T) {
 				handlerChain:   NewHandlerChain(),
 				wgInterface:    &mocWGIface{},
 				hostManager:    mockHostConfig,
-				localResolver:  &localResolver{},
+				localResolver:  &local.Resolver{},
 				service:        mockSvc,
 				statusRecorder: peer.NewRecorder("test"),
 				extraDomains:   make(map[domain.Domain]int),
@@ -1781,7 +1783,7 @@ func TestExtraDomainsRefCounting(t *testing.T) {
 		ctx:            context.Background(),
 		handlerChain:   NewHandlerChain(),
 		hostManager:    mockHostConfig,
-		localResolver:  &localResolver{},
+		localResolver:  &local.Resolver{},
 		service:        mockSvc,
 		statusRecorder: peer.NewRecorder("test"),
 		extraDomains:   make(map[domain.Domain]int),
@@ -1833,7 +1835,7 @@ func TestUpdateConfigWithExistingExtraDomains(t *testing.T) {
 		ctx:            context.Background(),
 		handlerChain:   NewHandlerChain(),
 		hostManager:    mockHostConfig,
-		localResolver:  &localResolver{},
+		localResolver:  &local.Resolver{},
 		service:        mockSvc,
 		statusRecorder: peer.NewRecorder("test"),
 		extraDomains:   make(map[domain.Domain]int),
@@ -1916,7 +1918,7 @@ func TestDomainCaseHandling(t *testing.T) {
 		ctx:            context.Background(),
 		handlerChain:   NewHandlerChain(),
 		hostManager:    mockHostConfig,
-		localResolver:  &localResolver{},
+		localResolver:  &local.Resolver{},
 		service:        mockSvc,
 		statusRecorder: peer.NewRecorder("test"),
 		extraDomains:   make(map[domain.Domain]int),

client/internal/dns/service_memory.go

@@ -24,11 +24,15 @@ type ServiceViaMemory struct {
 }
 
 func NewServiceViaMemory(wgIface WGIface) *ServiceViaMemory {
+	lastIP, err := nbnet.GetLastIPFromNetwork(wgIface.Address().Network, 1)
+	if err != nil {
+		log.Errorf("get last ip from network: %v", err)
+	}
 	s := &ServiceViaMemory{
 		wgInterface: wgIface,
 		dnsMux:      dns.NewServeMux(),
 
-		runtimeIP:   nbnet.GetLastIPFromNetwork(wgIface.Address().Network, 1).String(),
+		runtimeIP:   lastIP.String(),
 		runtimePort: defaultPort,
 	}
 	return s
@@ -91,7 +95,7 @@ func (s *ServiceViaMemory) filterDNSTraffic() (string, error) {
 	}
 
 	firstLayerDecoder := layers.LayerTypeIPv4
-	if s.wgInterface.Address().Network.IP.To4() == nil {
+	if s.wgInterface.Address().IP.Is6() {
 		firstLayerDecoder = layers.LayerTypeIPv6
 	}
 

client/internal/dns/service_memory_test.go

@@ -1,33 +0,0 @@
-package dns
-
-import (
-	"net"
-	"testing"
-
-	nbnet "github.com/netbirdio/netbird/util/net"
-)
-
-func TestGetLastIPFromNetwork(t *testing.T) {
-	tests := []struct {
-		addr string
-		ip   string
-	}{
-		{"2001:db8::/32", "2001:db8:ffff:ffff:ffff:ffff:ffff:fffe"},
-		{"192.168.0.0/30", "192.168.0.2"},
-		{"192.168.0.0/16", "192.168.255.254"},
-		{"192.168.0.0/24", "192.168.0.254"},
-	}
-
-	for _, tt := range tests {
-		_, ipnet, err := net.ParseCIDR(tt.addr)
-		if err != nil {
-			t.Errorf("Error parsing CIDR: %v", err)
-			return
-		}
-
-		lastIP := nbnet.GetLastIPFromNetwork(ipnet, 1).String()
-		if lastIP != tt.ip {
-			t.Errorf("wrong IP address, expected %s: got %s", tt.ip, lastIP)
-		}
-	}
-}

client/internal/dns/systemd_linux.go

@@ -30,9 +30,12 @@ const (
 	systemdDbusSetDNSMethodSuffix          = systemdDbusLinkInterface + ".SetDNS"
 	systemdDbusSetDefaultRouteMethodSuffix = systemdDbusLinkInterface + ".SetDefaultRoute"
 	systemdDbusSetDomainsMethodSuffix      = systemdDbusLinkInterface + ".SetDomains"
+	systemdDbusSetDNSSECMethodSuffix       = systemdDbusLinkInterface + ".SetDNSSEC"
 	systemdDbusResolvConfModeForeign       = "foreign"
 
 	dbusErrorUnknownObject = "org.freedesktop.DBus.Error.UnknownObject"
+
+	dnsSecDisabled = "no"
 )
 
 type systemdDbusConfigurator struct {
@@ -95,9 +98,13 @@ func (s *systemdDbusConfigurator) applyDNSConfig(config HostDNSConfig, stateMana
 		Family:  unix.AF_INET,
 		Address: ipAs4[:],
 	}
-	err = s.callLinkMethod(systemdDbusSetDNSMethodSuffix, []systemdDbusDNSInput{defaultLinkInput})
+	if err = s.callLinkMethod(systemdDbusSetDNSMethodSuffix, []systemdDbusDNSInput{defaultLinkInput}); err != nil {
-	if err != nil {
+		return fmt.Errorf("set interface DNS server %s:%d: %w", config.ServerIP, config.ServerPort, err)
-		return fmt.Errorf("setting the interface DNS server %s:%d failed with error: %w", config.ServerIP, config.ServerPort, err)
+	}
+
+	// We don't support dnssec. On some machines this is default on so we explicitly set it to off
+	if err = s.callLinkMethod(systemdDbusSetDNSSECMethodSuffix, dnsSecDisabled); err != nil {
+		log.Warnf("failed to set DNSSEC to 'no': %v", err)
 	}
 
 	var (

client/internal/dns/test/mock.go

@@ -0,0 +1,26 @@
+package test
+
+import (
+	"net"
+
+	"github.com/miekg/dns"
+)
+
+type MockResponseWriter struct {
+	WriteMsgFunc func(m *dns.Msg) error
+}
+
+func (rw *MockResponseWriter) WriteMsg(m *dns.Msg) error {
+	if rw.WriteMsgFunc != nil {
+		return rw.WriteMsgFunc(m)
+	}
+	return nil
+}
+
+func (rw *MockResponseWriter) LocalAddr() net.Addr       { return nil }
+func (rw *MockResponseWriter) RemoteAddr() net.Addr      { return nil }
+func (rw *MockResponseWriter) Write([]byte) (int, error) { return 0, nil }
+func (rw *MockResponseWriter) Close() error              { return nil }
+func (rw *MockResponseWriter) TsigStatus() error         { return nil }
+func (rw *MockResponseWriter) TsigTimersOnly(bool)       {}
+func (rw *MockResponseWriter) Hijack()                   {}

client/internal/dns/types/types.go

@@ -0,0 +1,3 @@
+package types
+
+type HandlerID string

client/internal/dns/upstream.go

@@ -19,6 +19,7 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
 )
@@ -81,21 +82,21 @@ func (u *upstreamResolverBase) String() string {
 }
 
 // ID returns the unique handler ID
-func (u *upstreamResolverBase) id() handlerID {
+func (u *upstreamResolverBase) ID() types.HandlerID {
 	servers := slices.Clone(u.upstreamServers)
 	slices.Sort(servers)
 
 	hash := sha256.New()
 	hash.Write([]byte(u.domain + ":"))
 	hash.Write([]byte(strings.Join(servers, ",")))
-	return handlerID("upstream-" + hex.EncodeToString(hash.Sum(nil)[:8]))
+	return types.HandlerID("upstream-" + hex.EncodeToString(hash.Sum(nil)[:8]))
 }
 
 func (u *upstreamResolverBase) MatchSubdomains() bool {
 	return true
 }
 
-func (u *upstreamResolverBase) stop() {
+func (u *upstreamResolverBase) Stop() {
 	log.Debugf("stopping serving DNS for upstreams %s", u.upstreamServers)
 	u.cancel()
 }
@@ -198,9 +199,9 @@ func (u *upstreamResolverBase) checkUpstreamFails(err error) {
 	)
 }
 
-// probeAvailability tests all upstream servers simultaneously and
+// ProbeAvailability tests all upstream servers simultaneously and
 // disables the resolver if none work
-func (u *upstreamResolverBase) probeAvailability() {
+func (u *upstreamResolverBase) ProbeAvailability() {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
 

client/internal/dns/upstream_android.go

@@ -3,6 +3,7 @@ package dns
 import (
 	"context"
 	"net"
+	"net/netip"
 	"syscall"
 	"time"
 
@@ -23,8 +24,8 @@ type upstreamResolver struct {
 func newUpstreamResolver(
 	ctx context.Context,
 	_ string,
-	_ net.IP,
+	_ netip.Addr,
-	_ *net.IPNet,
+	_ netip.Prefix,
 	statusRecorder *peer.Status,
 	hostsDNSHolder *hostsDNSHolder,
 	domain string,

client/internal/dns/upstream_general.go

@@ -4,7 +4,7 @@ package dns
 
 import (
 	"context"
-	"net"
+	"net/netip"
 	"time"
 
 	"github.com/miekg/dns"
@@ -19,8 +19,8 @@ type upstreamResolver struct {
 func newUpstreamResolver(
 	ctx context.Context,
 	_ string,
-	_ net.IP,
+	_ netip.Addr,
-	_ *net.IPNet,
+	_ netip.Prefix,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
 	domain string,

client/internal/dns/upstream_ios.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
 	"syscall"
 	"time"
 
@@ -18,16 +19,16 @@ import (
 
 type upstreamResolverIOS struct {
 	*upstreamResolverBase
-	lIP           net.IP
+	lIP           netip.Addr
-	lNet          *net.IPNet
+	lNet          netip.Prefix
 	interfaceName string
 }
 
 func newUpstreamResolver(
 	ctx context.Context,
 	interfaceName string,
-	ip net.IP,
+	ip netip.Addr,
-	net *net.IPNet,
+	net netip.Prefix,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
 	domain string,
@@ -58,8 +59,11 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	}
 	client.DialTimeout = timeout
 
-	upstreamIP := net.ParseIP(upstreamHost)
+	upstreamIP, err := netip.ParseAddr(upstreamHost)
-	if u.lNet.Contains(upstreamIP) || net.IP.IsPrivate(upstreamIP) {
+	if err != nil {
+		log.Warnf("failed to parse upstream host %s: %s", upstreamHost, err)
+	}
+	if u.lNet.Contains(upstreamIP) || upstreamIP.IsPrivate() {
 		log.Debugf("using private client to query upstream: %s", upstream)
 		client, err = GetClientPrivate(u.lIP, u.interfaceName, timeout)
 		if err != nil {
@@ -73,7 +77,7 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 
 // GetClientPrivate returns a new DNS client bound to the local IP address of the Netbird interface
 // This method is needed for iOS
-func GetClientPrivate(ip net.IP, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
+func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
 	index, err := getInterfaceIndex(interfaceName)
 	if err != nil {
 		log.Debugf("unable to get interface index for %s: %s", interfaceName, err)
@@ -82,7 +86,7 @@ func GetClientPrivate(ip net.IP, interfaceName string, dialTimeout time.Duration
 
 	dialer := &net.Dialer{
 		LocalAddr: &net.UDPAddr{
-			IP:   ip,
+			IP:   ip.AsSlice(),
 			Port: 0, // Let the OS pick a free port
 		},
 		Timeout: dialTimeout,

client/internal/dns/upstream_test.go

@@ -2,12 +2,14 @@ package dns
 
 import (
 	"context"
-	"net"
+	"net/netip"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/miekg/dns"
+
+	"github.com/netbirdio/netbird/client/internal/dns/test"
 )
 
 func TestUpstreamResolver_ServeDNS(t *testing.T) {
@@ -56,7 +58,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			ctx, cancel := context.WithCancel(context.TODO())
-			resolver, _ := newUpstreamResolver(ctx, "", net.IP{}, &net.IPNet{}, nil, nil, ".")
+			resolver, _ := newUpstreamResolver(ctx, "", netip.Addr{}, netip.Prefix{}, nil, nil, ".")
 			resolver.upstreamServers = testCase.InputServers
 			resolver.upstreamTimeout = testCase.timeout
 			if testCase.cancelCTX {
@@ -66,7 +68,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 			}
 
 			var responseMSG *dns.Msg
-			responseWriter := &mockResponseWriter{
+			responseWriter := &test.MockResponseWriter{
 				WriteMsgFunc: func(m *dns.Msg) error {
 					responseMSG = m
 					return nil
@@ -130,7 +132,7 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 	resolver.failsTillDeact = 0
 	resolver.reactivatePeriod = time.Microsecond * 100
 
-	responseWriter := &mockResponseWriter{
+	responseWriter := &test.MockResponseWriter{
 		WriteMsgFunc: func(m *dns.Msg) error { return nil },
 	}
 

client/internal/dns/wgiface.go

@@ -5,7 +5,6 @@ package dns
 import (
 	"net"
 
-	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -18,5 +17,4 @@ type WGIface interface {
 	IsUserspaceBind() bool
 	GetFilter() device.PacketFilter
 	GetDevice() *device.FilteredDevice
-	GetStats(peerKey string) (configurer.WGStats, error)
 }

client/internal/dns/wgiface_windows.go

@@ -1,7 +1,6 @@
 package dns
 
 import (
-	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -13,6 +12,5 @@ type WGIface interface {
 	IsUserspaceBind() bool
 	GetFilter() device.PacketFilter
 	GetDevice() *device.FilteredDevice
-	GetStats(peerKey string) (configurer.WGStats, error)
 	GetInterfaceGUIDString() (string, error)
 }

client/internal/dnsfwd/forwarder.go

@@ -33,6 +33,8 @@ type DNSForwarder struct {
 
 	dnsServer *dns.Server
 	mux       *dns.ServeMux
+	tcpServer *dns.Server
+	tcpMux    *dns.ServeMux
 
 	mutex      sync.RWMutex
 	fwdEntries []*ForwarderEntry
@@ -50,22 +52,41 @@ func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewall.Manager
 }
 
 func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
-	log.Infof("listen DNS forwarder on address=%s", f.listenAddress)
+	log.Infof("starting DNS forwarder on address=%s", f.listenAddress)
-	mux := dns.NewServeMux()
 
-	dnsServer := &dns.Server{
+	// UDP server
+	mux := dns.NewServeMux()
+	f.mux = mux
+	f.dnsServer = &dns.Server{
 		Addr:    f.listenAddress,
 		Net:     "udp",
 		Handler: mux,
 	}
-	f.dnsServer = dnsServer
+	// TCP server
-	f.mux = mux
+	tcpMux := dns.NewServeMux()
+	f.tcpMux = tcpMux
+	f.tcpServer = &dns.Server{
+		Addr:    f.listenAddress,
+		Net:     "tcp",
+		Handler: tcpMux,
+	}
 
 	f.UpdateDomains(entries)
 
-	return dnsServer.ListenAndServe()
+	errCh := make(chan error, 2)
-}
 
+	go func() {
+		log.Infof("DNS UDP listener running on %s", f.listenAddress)
+		errCh <- f.dnsServer.ListenAndServe()
+	}()
+	go func() {
+		log.Infof("DNS TCP listener running on %s", f.listenAddress)
+		errCh <- f.tcpServer.ListenAndServe()
+	}()
+
+	// return the first error we get (e.g. bind failure or shutdown)
+	return <-errCh
+}
 func (f *DNSForwarder) UpdateDomains(entries []*ForwarderEntry) {
 	f.mutex.Lock()
 	defer f.mutex.Unlock()
@@ -77,31 +98,41 @@ func (f *DNSForwarder) UpdateDomains(entries []*ForwarderEntry) {
 	}
 
 	oldDomains := filterDomains(f.fwdEntries)
-
 	for _, d := range oldDomains {
 		f.mux.HandleRemove(d.PunycodeString())
+		f.tcpMux.HandleRemove(d.PunycodeString())
 	}
 
 	newDomains := filterDomains(entries)
 	for _, d := range newDomains {
-		f.mux.HandleFunc(d.PunycodeString(), f.handleDNSQuery)
+		f.mux.HandleFunc(d.PunycodeString(), f.handleDNSQueryUDP)
+		f.tcpMux.HandleFunc(d.PunycodeString(), f.handleDNSQueryTCP)
 	}
 
 	f.fwdEntries = entries
-
 	log.Debugf("Updated domains from %v to %v", oldDomains, newDomains)
 }
 
 func (f *DNSForwarder) Close(ctx context.Context) error {
-	if f.dnsServer == nil {
+	var result *multierror.Error
-		return nil
+
+	if f.dnsServer != nil {
+		if err := f.dnsServer.ShutdownContext(ctx); err != nil {
+			result = multierror.Append(result, fmt.Errorf("UDP shutdown: %w", err))
 		}
-	return f.dnsServer.ShutdownContext(ctx)
+	}
+	if f.tcpServer != nil {
+		if err := f.tcpServer.ShutdownContext(ctx); err != nil {
+			result = multierror.Append(result, fmt.Errorf("TCP shutdown: %w", err))
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(result)
 }
 
-func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) {
+func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) *dns.Msg {
 	if len(query.Question) == 0 {
-		return
+		return nil
 	}
 	question := query.Question[0]
 	log.Tracef("received DNS request for DNS forwarder: domain=%v type=%v class=%v",
@@ -123,20 +154,53 @@ func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) {
 		if err := w.WriteMsg(resp); err != nil {
 			log.Errorf("failed to write DNS response: %v", err)
 		}
-		return
+		return nil
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), upstreamTimeout)
 	defer cancel()
 	ips, err := net.DefaultResolver.LookupNetIP(ctx, network, domain)
 	if err != nil {
-		f.handleDNSError(w, resp, domain, err)
+		f.handleDNSError(w, query, resp, domain, err)
-		return
+		return nil
 	}
 
 	f.updateInternalState(domain, ips)
 	f.addIPsToResponse(resp, domain, ips)
 
+	return resp
+}
+
+func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
+
+	resp := f.handleDNSQuery(w, query)
+	if resp == nil {
+		return
+	}
+
+	opt := query.IsEdns0()
+	maxSize := dns.MinMsgSize
+	if opt != nil {
+		// client advertised a larger EDNS0 buffer
+		maxSize = int(opt.UDPSize())
+	}
+
+	// if our response is too big, truncate and set the TC bit
+	if resp.Len() > maxSize {
+		resp.Truncate(maxSize)
+	}
+
+	if err := w.WriteMsg(resp); err != nil {
+		log.Errorf("failed to write DNS response: %v", err)
+	}
+}
+
+func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
+	resp := f.handleDNSQuery(w, query)
+	if resp == nil {
+		return
+	}
+
 	if err := w.WriteMsg(resp); err != nil {
 		log.Errorf("failed to write DNS response: %v", err)
 	}
@@ -179,7 +243,7 @@ func (f *DNSForwarder) updateFirewall(matchingEntries []*ForwarderEntry, prefixe
 }
 
 // handleDNSError processes DNS lookup errors and sends an appropriate error response
-func (f *DNSForwarder) handleDNSError(w dns.ResponseWriter, resp *dns.Msg, domain string, err error) {
+func (f *DNSForwarder) handleDNSError(w dns.ResponseWriter, query, resp *dns.Msg, domain string, err error) {
 	var dnsErr *net.DNSError
 
 	switch {
@@ -191,7 +255,7 @@ func (f *DNSForwarder) handleDNSError(w dns.ResponseWriter, resp *dns.Msg, domai
 		}
 
 		if dnsErr.Server != "" {
-			log.Warnf("failed to resolve query for domain=%s server=%s: %v", domain, dnsErr.Server, err)
+			log.Warnf("failed to resolve query for type=%s domain=%s server=%s: %v", dns.TypeToString[query.Question[0].Qtype], domain, dnsErr.Server, err)
 		} else {
 			log.Warnf(errResolveFailed, domain, err)
 		}

client/internal/dnsfwd/manager.go

@@ -33,6 +33,7 @@ type Manager struct {
 	statusRecorder *peer.Status
 
 	fwRules      []firewall.Rule
+	tcpRules     []firewall.Rule
 	dnsForwarder *DNSForwarder
 }
 
@@ -107,6 +108,13 @@ func (m *Manager) allowDNSFirewall() error {
 	}
 	m.fwRules = dnsRules
 
+	tcpRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolTCP, nil, dport, firewall.ActionAccept, "")
+	if err != nil {
+		log.Errorf("failed to add allow DNS router rules, err: %v", err)
+		return err
+	}
+	m.tcpRules = tcpRules
+
 	return nil
 }
 
@@ -117,7 +125,13 @@ func (m *Manager) dropDNSFirewall() error {
 			mErr = multierror.Append(mErr, fmt.Errorf("failed to delete DNS router rules, err: %v", err))
 		}
 	}
+	for _, rule := range m.tcpRules {
+		if err := m.firewall.DeletePeerRule(rule); err != nil {
+			mErr = multierror.Append(mErr, fmt.Errorf("failed to delete DNS router rules, err: %v", err))
+		}
+	}
 
 	m.fwRules = nil
+	m.tcpRules = nil
 	return nberrors.FormatErrorOrNil(mErr)
 }

client/internal/engine.go

@@ -38,6 +38,7 @@ import (
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/networkmonitor"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
@@ -120,8 +121,10 @@ type EngineConfig struct {
 	DisableServerRoutes bool
 	DisableDNS          bool
 	DisableFirewall     bool
-
 	BlockLANAccess      bool
+	BlockInbound        bool
+
+	LazyConnectionEnabled bool
 }
 
 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
@@ -134,6 +137,8 @@ type Engine struct {
 	// peerConns is a map that holds all the peers that are known to this peer
 	peerStore *peerstore.Store
 
+	connMgr *ConnMgr
+
 	beforePeerHook nbnet.AddHookFunc
 	afterPeerHook  nbnet.RemoveHookFunc
 
@@ -171,6 +176,7 @@ type Engine struct {
 	sshServer     nbssh.Server
 
 	statusRecorder     *peer.Status
+	peerConnDispatcher *dispatcher.ConnectionDispatcher
 
 	firewall          firewallManager.Manager
 	routeManager      routemanager.Manager
@@ -235,6 +241,8 @@ func NewEngine(
 		checks:         checks,
 		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
 	}
+
+	path := statemanager.GetDefaultStatePath()
 	if runtime.GOOS == "ios" {
 		if !fileExists(mobileDep.StateFilePath) {
 			err := createFile(mobileDep.StateFilePath)
@@ -244,11 +252,9 @@ func NewEngine(
 			}
 		}
 
-		engine.stateManager = statemanager.New(mobileDep.StateFilePath)
+		path = mobileDep.StateFilePath
 	}
-	if path := statemanager.GetDefaultStatePath(); path != "" {
 	engine.stateManager = statemanager.New(path)
-	}
 
 	return engine
 }
@@ -262,6 +268,10 @@ func (e *Engine) Stop() error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 
+	if e.connMgr != nil {
+		e.connMgr.Close()
+	}
+
 	// stopping network monitor first to avoid starting the engine again
 	if e.networkMonitor != nil {
 		e.networkMonitor.Stop()
@@ -297,8 +307,7 @@ func (e *Engine) Stop() error {
 	e.statusRecorder.UpdateDNSStates([]peer.NSGroupState{})
 	e.statusRecorder.UpdateRelayStates([]relay.ProbeResult{})
 
-	err := e.removeAllPeers()
+	if err := e.removeAllPeers(); err != nil {
-	if err != nil {
 		return fmt.Errorf("failed to remove all peers: %s", err)
 	}
 
@@ -350,6 +359,7 @@ func (e *Engine) Start() error {
 		return fmt.Errorf("new wg interface: %w", err)
 	}
 	e.wgInterface = wgIface
+	e.statusRecorder.SetWgIface(wgIface)
 
 	// start flow manager right after interface creation
 	publicKey := e.config.WgPrivateKey.PublicKey()
@@ -371,7 +381,6 @@ func (e *Engine) Start() error {
 			return fmt.Errorf("run rosenpass manager: %w", err)
 		}
 	}
-
 	e.stateManager.Start()
 
 	initialRoutes, dnsServer, err := e.newDnsServer()
@@ -405,8 +414,7 @@ func (e *Engine) Start() error {
 
 	e.routeManager.SetRouteChangeListener(e.mobileDep.NetworkChangeListener)
 
-	err = e.wgInterfaceCreate()
+	if err = e.wgInterfaceCreate(); err != nil {
-	if err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", e.config.WgIfaceName, err.Error())
 		e.close()
 		return fmt.Errorf("create wg interface: %w", err)
@@ -423,7 +431,8 @@ func (e *Engine) Start() error {
 		return fmt.Errorf("up wg interface: %w", err)
 	}
 
-	if e.firewall != nil {
+	// if inbound conns are blocked there is no need to create the ACL manager
+	if e.firewall != nil && !e.config.BlockInbound {
 		e.acl = acl.NewDefaultManager(e.firewall)
 	}
 
@@ -442,6 +451,11 @@ func (e *Engine) Start() error {
 		NATExternalIPs:       e.parseNATExternalIPMappings(),
 	}
 
+	e.peerConnDispatcher = dispatcher.NewConnectionDispatcher()
+
+	e.connMgr = NewConnMgr(e.config, e.statusRecorder, e.peerStore, wgIface, e.peerConnDispatcher)
+	e.connMgr.Start(e.ctx)
+
 	e.srWatcher = guard.NewSRWatcher(e.signal, e.relayManager, e.mobileDep.IFaceDiscover, iceCfg)
 	e.srWatcher.Start()
 
@@ -450,7 +464,6 @@ func (e *Engine) Start() error {
 
 	// starting network monitor at the very last to avoid disruptions
 	e.startNetworkMonitor()
-
 	return nil
 }
 
@@ -475,12 +488,10 @@ func (e *Engine) createFirewall() error {
 }
 
 func (e *Engine) initFirewall() error {
-	if e.firewall.IsServerRouteSupported() {
 	if err := e.routeManager.EnableServerRouter(e.firewall); err != nil {
 		e.close()
 		return fmt.Errorf("enable server router: %w", err)
 	}
-	}
 
 	if e.config.BlockLANAccess {
 		e.blockLanAccess()
@@ -513,6 +524,11 @@ func (e *Engine) initFirewall() error {
 }
 
 func (e *Engine) blockLanAccess() {
+	if e.config.BlockInbound {
+		// no need to set up extra deny rules if inbound is already blocked in general
+		return
+	}
+
 	var merr *multierror.Error
 
 	// TODO: keep this updated
@@ -550,6 +566,16 @@ func (e *Engine) modifyPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 	var modified []*mgmProto.RemotePeerConfig
 	for _, p := range peersUpdate {
 		peerPubKey := p.GetWgPubKey()
+		currentPeer, ok := e.peerStore.PeerConn(peerPubKey)
+		if !ok {
+			continue
+		}
+
+		if currentPeer.AgentVersionString() != p.AgentVersion {
+			modified = append(modified, p)
+			continue
+		}
+
 		allowedIPs, ok := e.peerStore.AllowedIPs(peerPubKey)
 		if !ok {
 			continue
@@ -559,8 +585,7 @@ func (e *Engine) modifyPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 			continue
 		}
 
-		err := e.statusRecorder.UpdatePeerFQDN(peerPubKey, p.GetFqdn())
+		if err := e.statusRecorder.UpdatePeerFQDN(peerPubKey, p.GetFqdn()); err != nil {
-		if err != nil {
 			log.Warnf("error updating peer's %s fqdn in the status recorder, got error: %v", peerPubKey, err)
 		}
 	}
@@ -621,17 +646,12 @@ func (e *Engine) removePeer(peerKey string) error {
 		e.sshServer.RemoveAuthorizedKey(peerKey)
 	}
 
-	defer func() {
+	e.connMgr.RemovePeerConn(peerKey)
+
 	err := e.statusRecorder.RemovePeer(peerKey)
 	if err != nil {
 		log.Warnf("received error when removing peer %s from status recorder: %v", peerKey, err)
 	}
-	}()
-
-	conn, exists := e.peerStore.Remove(peerKey)
-	if exists {
-		conn.Close()
-	}
 	return nil
 }
 
@@ -780,11 +800,15 @@ func isNil(server nbssh.Server) bool {
 }
 
 func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
+	if e.config.BlockInbound {
+		log.Infof("SSH server is disabled because inbound connections are blocked")
+		return nil
+	}
 
 	if !e.config.ServerSSHAllowed {
-		log.Warnf("running SSH server is not permitted")
+		log.Info("SSH server is not enabled")
 		return nil
-	} else {
+	}
 
 	if sshConf.GetSshEnabled() {
 		if runtime.GOOS == "windows" {
@@ -828,8 +852,6 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 		e.sshServer = nil
 	}
 	return nil
-
-	}
 }
 
 func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
@@ -952,12 +974,33 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		return nil
 	}
 
+	if err := e.connMgr.UpdatedRemoteFeatureFlag(e.ctx, networkMap.GetPeerConfig().GetLazyConnectionEnabled()); err != nil {
+		log.Errorf("failed to update lazy connection feature flag: %v", err)
+	}
+
 	if e.firewall != nil {
 		if localipfw, ok := e.firewall.(localIpUpdater); ok {
 			if err := localipfw.UpdateLocalIPs(); err != nil {
 				log.Errorf("failed to update local IPs: %v", err)
 			}
 		}
+
+		// If we got empty rules list but management did not set the networkMap.FirewallRulesIsEmpty flag,
+		// then the mgmt server is older than the client, and we need to allow all traffic for routes.
+		// This needs to be toggled before applying routes.
+		isLegacy := len(networkMap.RoutesFirewallRules) == 0 && !networkMap.RoutesFirewallRulesIsEmpty
+		if err := e.firewall.SetLegacyManagement(isLegacy); err != nil {
+			log.Errorf("failed to set legacy management flag: %v", err)
+		}
+	}
+
+	protoDNSConfig := networkMap.GetDNSConfig()
+	if protoDNSConfig == nil {
+		protoDNSConfig = &mgmProto.DNSConfig{}
+	}
+
+	if err := e.dnsServer.UpdateDNSServer(serial, toDNSConfig(protoDNSConfig, e.wgInterface.Address().Network)); err != nil {
+		log.Errorf("failed to update dns server, err: %v", err)
 	}
 
 	dnsRouteFeatureFlag := toDNSFeatureFlag(networkMap)
@@ -965,7 +1008,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	// apply routes first, route related actions might depend on routing being enabled
 	routes := toRoutes(networkMap.GetRoutes())
 	if err := e.routeManager.UpdateRoutes(serial, routes, dnsRouteFeatureFlag); err != nil {
-		log.Errorf("failed to update clientRoutes, err: %v", err)
+		log.Errorf("failed to update routes: %v", err)
 	}
 
 	if e.acl != nil {
@@ -976,7 +1019,8 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries)
 
 	// Ingress forward rules
-	if err := e.updateForwardRules(networkMap.GetForwardingRules()); err != nil {
+	forwardingRules, err := e.updateForwardRules(networkMap.GetForwardingRules())
+	if err != nil {
 		log.Errorf("failed to update forward rules, err: %v", err)
 	}
 
@@ -1022,14 +1066,9 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		}
 	}
 
-	protoDNSConfig := networkMap.GetDNSConfig()
+	// must set the exclude list after the peers are added. Without it the manager can not figure out the peers parameters from the store
-	if protoDNSConfig == nil {
+	excludedLazyPeers := e.toExcludedLazyPeers(routes, forwardingRules, networkMap.GetRemotePeers())
-		protoDNSConfig = &mgmProto.DNSConfig{}
+	e.connMgr.SetExcludeList(excludedLazyPeers)
-	}
-
-	if err := e.dnsServer.UpdateDNSServer(serial, toDNSConfig(protoDNSConfig, e.wgInterface.Address().Network)); err != nil {
-		log.Errorf("failed to update dns server, err: %v", err)
-	}
 
 	e.networkSerial = serial
 
@@ -1065,7 +1104,7 @@ func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
 
 		convertedRoute := &route.Route{
 			ID:          route.ID(protoRoute.ID),
-			Network:     prefix,
+			Network:     prefix.Masked(),
 			Domains:     domain.FromPunycodeList(protoRoute.Domains),
 			NetID:       route.NetID(protoRoute.NetID),
 			NetworkType: route.NetworkType(protoRoute.NetworkType),
@@ -1099,7 +1138,7 @@ func toRouteDomains(myPubKey string, routes []*route.Route) []*dnsfwd.ForwarderE
 	return entries
 }
 
-func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network *net.IPNet) nbdns.Config {
+func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network netip.Prefix) nbdns.Config {
 	dnsUpdate := nbdns.Config{
 		ServiceEnable:    protoDNSConfig.GetServiceEnable(),
 		CustomZones:      make([]nbdns.CustomZone, 0),
@@ -1155,7 +1194,7 @@ func (e *Engine) updateOfflinePeers(offlinePeers []*mgmProto.RemotePeerConfig) {
 			IP:               strings.Join(offlinePeer.GetAllowedIps(), ","),
 			PubKey:           offlinePeer.GetWgPubKey(),
 			FQDN:             offlinePeer.GetFqdn(),
-			ConnStatus:       peer.StatusDisconnected,
+			ConnStatus:       peer.StatusIdle,
 			ConnStatusUpdate: time.Now(),
 			Mux:              new(sync.RWMutex),
 		}
@@ -1191,12 +1230,17 @@ func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
 		peerIPs = append(peerIPs, allowedNetIP)
 	}
 
-	conn, err := e.createPeerConn(peerKey, peerIPs)
+	conn, err := e.createPeerConn(peerKey, peerIPs, peerConfig.AgentVersion)
 	if err != nil {
 		return fmt.Errorf("create peer connection: %w", err)
 	}
 
-	if ok := e.peerStore.AddPeerConn(peerKey, conn); !ok {
+	err = e.statusRecorder.AddPeer(peerKey, peerConfig.Fqdn, peerIPs[0].Addr().String())
+	if err != nil {
+		log.Warnf("error adding peer %s to status recorder, got error: %v", peerKey, err)
+	}
+
+	if exists := e.connMgr.AddPeerConn(e.ctx, peerKey, conn); exists {
 		conn.Close()
 		return fmt.Errorf("peer already exists: %s", peerKey)
 	}
@@ -1205,17 +1249,10 @@ func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
 		conn.AddBeforeAddPeerHook(e.beforePeerHook)
 		conn.AddAfterRemovePeerHook(e.afterPeerHook)
 	}
-
-	err = e.statusRecorder.AddPeer(peerKey, peerConfig.Fqdn)
-	if err != nil {
-		log.Warnf("error adding peer %s to status recorder, got error: %v", peerKey, err)
-	}
-
-	conn.Open()
 	return nil
 }
 
-func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix) (*peer.Conn, error) {
+func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentVersion string) (*peer.Conn, error) {
 	log.Debugf("creating peer connection %s", pubKey)
 
 	wgConfig := peer.WgConfig{
@@ -1231,6 +1268,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix) (*peer
 	config := peer.ConnConfig{
 		Key:          pubKey,
 		LocalKey:     e.config.WgPrivateKey.PublicKey().String(),
+		AgentVersion: agentVersion,
 		Timeout:      timeout,
 		WgConfig:     wgConfig,
 		LocalWgPort:  e.config.WgPort,
@@ -1249,7 +1287,16 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix) (*peer
 		},
 	}
 
-	peerConn, err := peer.NewConn(e.ctx, config, e.statusRecorder, e.signaler, e.mobileDep.IFaceDiscover, e.relayManager, e.srWatcher, e.connSemaphore)
+	serviceDependencies := peer.ServiceDependencies{
+		StatusRecorder:     e.statusRecorder,
+		Signaler:           e.signaler,
+		IFaceDiscover:      e.mobileDep.IFaceDiscover,
+		RelayManager:       e.relayManager,
+		SrWatcher:          e.srWatcher,
+		Semaphore:          e.connSemaphore,
+		PeerConnDispatcher: e.peerConnDispatcher,
+	}
+	peerConn, err := peer.NewConn(config, serviceDependencies)
 	if err != nil {
 		return nil, err
 	}
@@ -1270,7 +1317,7 @@ func (e *Engine) receiveSignalEvents() {
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()
 
-			conn, ok := e.peerStore.PeerConn(msg.Key)
+			conn, ok := e.connMgr.OnSignalMsg(e.ctx, msg.Key)
 			if !ok {
 				return fmt.Errorf("wrongly addressed message %s", msg.Key)
 			}
@@ -1406,6 +1453,7 @@ func (e *Engine) close() {
 			log.Errorf("failed closing Netbird interface %s %v", e.config.WgIfaceName, err)
 		}
 		e.wgInterface = nil
+		e.statusRecorder.SetWgIface(nil)
 	}
 
 	if !isNil(e.sshServer) {
@@ -1578,13 +1626,39 @@ func (e *Engine) getRosenpassAddr() string {
 // RunHealthProbes executes health checks for Signal, Management, Relay and WireGuard services
 // and updates the status recorder with the latest states.
 func (e *Engine) RunHealthProbes() bool {
+	e.syncMsgMux.Lock()
+
 	signalHealthy := e.signal.IsHealthy()
 	log.Debugf("signal health check: healthy=%t", signalHealthy)
 
 	managementHealthy := e.mgmClient.IsHealthy()
 	log.Debugf("management health check: healthy=%t", managementHealthy)
 
-	results := append(e.probeSTUNs(), e.probeTURNs()...)
+	stuns := slices.Clone(e.STUNs)
+	turns := slices.Clone(e.TURNs)
+
+	if e.wgInterface != nil {
+		stats, err := e.wgInterface.GetStats()
+		if err != nil {
+			log.Warnf("failed to get wireguard stats: %v", err)
+			e.syncMsgMux.Unlock()
+			return false
+		}
+		for _, key := range e.peerStore.PeersPubKey() {
+			// wgStats could be zero value, in which case we just reset the stats
+			wgStats, ok := stats[key]
+			if !ok {
+				continue
+			}
+			if err := e.statusRecorder.UpdateWireGuardPeerState(key, wgStats); err != nil {
+				log.Debugf("failed to update wg stats for peer %s: %s", key, err)
+			}
+		}
+	}
+
+	e.syncMsgMux.Unlock()
+
+	results := e.probeICE(stuns, turns)
 	e.statusRecorder.UpdateRelayStates(results)
 
 	relayHealthy := true
@@ -1596,37 +1670,16 @@ func (e *Engine) RunHealthProbes() bool {
 	}
 	log.Debugf("relay health check: healthy=%t", relayHealthy)
 
-	for _, key := range e.peerStore.PeersPubKey() {
-		wgStats, err := e.wgInterface.GetStats(key)
-		if err != nil {
-			log.Debugf("failed to get wg stats for peer %s: %s", key, err)
-			continue
-		}
-		// wgStats could be zero value, in which case we just reset the stats
-		if err := e.statusRecorder.UpdateWireGuardPeerState(key, wgStats); err != nil {
-			log.Debugf("failed to update wg stats for peer %s: %s", key, err)
-		}
-	}
-
 	allHealthy := signalHealthy && managementHealthy && relayHealthy
 	log.Debugf("all health checks completed: healthy=%t", allHealthy)
 	return allHealthy
 }
 
-func (e *Engine) probeSTUNs() []relay.ProbeResult {
+func (e *Engine) probeICE(stuns, turns []*stun.URI) []relay.ProbeResult {
-	e.syncMsgMux.Lock()
+	return append(
-	stuns := slices.Clone(e.STUNs)
+		relay.ProbeAll(e.ctx, relay.ProbeSTUN, stuns),
-	e.syncMsgMux.Unlock()
+		relay.ProbeAll(e.ctx, relay.ProbeTURN, turns)...,
-
+	)
-	return relay.ProbeAll(e.ctx, relay.ProbeSTUN, stuns)
-}
-
-func (e *Engine) probeTURNs() []relay.ProbeResult {
-	e.syncMsgMux.Lock()
-	turns := slices.Clone(e.TURNs)
-	e.syncMsgMux.Unlock()
-
-	return relay.ProbeAll(e.ctx, relay.ProbeTURN, turns)
 }
 
 // restartEngine restarts the engine by cancelling the client context
@@ -1738,9 +1791,9 @@ func (e *Engine) GetLatestNetworkMap() (*mgmProto.NetworkMap, error) {
 }
 
 // GetWgAddr returns the wireguard address
-func (e *Engine) GetWgAddr() net.IP {
+func (e *Engine) GetWgAddr() netip.Addr {
 	if e.wgInterface == nil {
-		return nil
+		return netip.Addr{}
 	}
 	return e.wgInterface.Address().IP
 }
@@ -1750,6 +1803,10 @@ func (e *Engine) updateDNSForwarder(
 	enabled bool,
 	fwdEntries []*dnsfwd.ForwarderEntry,
 ) {
+	if e.config.DisableServerRoutes {
+		return
+	}
+
 	if !enabled {
 		if e.dnsForwardMgr == nil {
 			return
@@ -1805,29 +1862,24 @@ func (e *Engine) Address() (netip.Addr, error) {
 		return netip.Addr{}, errors.New("wireguard interface not initialized")
 	}
 
-	addr := e.wgInterface.Address()
+	return e.wgInterface.Address().IP, nil
-	ip, ok := netip.AddrFromSlice(addr.IP)
-	if !ok {
-		return netip.Addr{}, errors.New("failed to convert address to netip.Addr")
-	}
-	return ip.Unmap(), nil
 }
 
-func (e *Engine) updateForwardRules(rules []*mgmProto.ForwardingRule) error {
+func (e *Engine) updateForwardRules(rules []*mgmProto.ForwardingRule) ([]firewallManager.ForwardRule, error) {
 	if e.firewall == nil {
 		log.Warn("firewall is disabled, not updating forwarding rules")
-		return nil
+		return nil, nil
 	}
 
 	if len(rules) == 0 {
 		if e.ingressGatewayMgr == nil {
-			return nil
+			return nil, nil
 		}
 
 		err := e.ingressGatewayMgr.Close()
 		e.ingressGatewayMgr = nil
 		e.statusRecorder.SetIngressGwMgr(nil)
-		return err
+		return nil, err
 	}
 
 	if e.ingressGatewayMgr == nil {
@@ -1878,7 +1930,35 @@ func (e *Engine) updateForwardRules(rules []*mgmProto.ForwardingRule) error {
 		log.Errorf("failed to update forwarding rules: %v", err)
 	}
 
-	return nberrors.FormatErrorOrNil(merr)
+	return forwardingRules, nberrors.FormatErrorOrNil(merr)
+}
+
+func (e *Engine) toExcludedLazyPeers(routes []*route.Route, rules []firewallManager.ForwardRule, peers []*mgmProto.RemotePeerConfig) map[string]bool {
+	excludedPeers := make(map[string]bool)
+	for _, r := range routes {
+		if r.Peer == "" {
+			continue
+		}
+		if !excludedPeers[r.Peer] {
+			log.Infof("exclude router peer from lazy connection: %s", r.Peer)
+			excludedPeers[r.Peer] = true
+		}
+	}
+
+	for _, r := range rules {
+		ip := r.TranslatedAddress
+		for _, p := range peers {
+			for _, allowedIP := range p.GetAllowedIps() {
+				if allowedIP != ip.String() {
+					continue
+				}
+				log.Infof("exclude forwarder peer from lazy connection: %s", p.GetWgPubKey())
+				excludedPeers[p.GetWgPubKey()] = true
+			}
+		}
+	}
+
+	return excludedPeers
 }
 
 // isChecksEqual checks if two slices of checks are equal.

client/internal/engine_test.go

@@ -28,8 +28,6 @@ import (
 
 	"github.com/netbirdio/management-integrations/integrations"
 
-	"github.com/netbirdio/netbird/management/server/types"
-
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
@@ -38,6 +36,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
@@ -53,6 +52,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
+	"github.com/netbirdio/netbird/management/server/types"
 	relayClient "github.com/netbirdio/netbird/relay/client"
 	"github.com/netbirdio/netbird/route"
 	signal "github.com/netbirdio/netbird/signal/client"
@@ -93,12 +93,16 @@ type MockWGIface struct {
 	GetFilterFunc              func() device.PacketFilter
 	GetDeviceFunc              func() *device.FilteredDevice
 	GetWGDeviceFunc            func() *wgdevice.Device
-	GetStatsFunc               func(peerKey string) (configurer.WGStats, error)
+	GetStatsFunc               func() (map[string]configurer.WGStats, error)
 	GetInterfaceGUIDStringFunc func() (string, error)
 	GetProxyFunc               func() wgproxy.Proxy
 	GetNetFunc                 func() *netstack.Net
 }
 
+func (m *MockWGIface) FullStats() (*configurer.Stats, error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
 func (m *MockWGIface) GetInterfaceGUIDString() (string, error) {
 	return m.GetInterfaceGUIDStringFunc()
 }
@@ -171,8 +175,8 @@ func (m *MockWGIface) GetWGDevice() *wgdevice.Device {
 	return m.GetWGDeviceFunc()
 }
 
-func (m *MockWGIface) GetStats(peerKey string) (configurer.WGStats, error) {
+func (m *MockWGIface) GetStats() (map[string]configurer.WGStats, error) {
-	return m.GetStatsFunc(peerKey)
+	return m.GetStatsFunc()
 }
 
 func (m *MockWGIface) GetProxy() wgproxy.Proxy {
@@ -371,13 +375,13 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP: net.ParseIP("10.20.0.1"),
+				IP:      netip.MustParseAddr("10.20.0.1"),
-				Network: &net.IPNet{
+				Network: netip.MustParsePrefix("10.20.0.0/24"),
-					IP:   net.ParseIP("10.20.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
 			}
 		},
+		UpdatePeerFunc: func(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+			return nil
+		},
 	}
 	engine.wgInterface = wgIface
 	engine.routeManager = routemanager.NewManager(routemanager.ManagerConfig{
@@ -400,6 +404,8 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	engine.udpMux = bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: conn})
 	engine.ctx = ctx
 	engine.srWatcher = guard.NewSRWatcher(nil, nil, nil, icemaker.Config{})
+	engine.connMgr = NewConnMgr(engine.config, engine.statusRecorder, engine.peerStore, wgIface, dispatcher.NewConnectionDispatcher())
+	engine.connMgr.Start(ctx)
 
 	type testCase struct {
 		name       string
@@ -770,6 +776,8 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 
 			engine.routeManager = mockRouteManager
 			engine.dnsServer = &dns.MockServer{}
+			engine.connMgr = NewConnMgr(engine.config, engine.statusRecorder, engine.peerStore, engine.wgInterface, dispatcher.NewConnectionDispatcher())
+			engine.connMgr.Start(ctx)
 
 			defer func() {
 				exitErr := engine.Stop()
@@ -966,6 +974,8 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			}
 
 			engine.dnsServer = mockDNSServer
+			engine.connMgr = NewConnMgr(engine.config, engine.statusRecorder, engine.peerStore, engine.wgInterface, dispatcher.NewConnectionDispatcher())
+			engine.connMgr.Start(ctx)
 
 			defer func() {
 				exitErr := engine.Stop()
@@ -1476,7 +1486,7 @@ func getConnectedPeers(e *Engine) int {
 	i := 0
 	for _, id := range e.peerStore.PeersPubKey() {
 		conn, _ := e.peerStore.PeerConn(id)
-		if conn.Status() == peer.StatusConnected {
+		if conn.IsConnected() {
 			i++
 		}
 	}

client/internal/iface_common.go

@@ -35,6 +35,7 @@ type wgIfaceBase interface {
 	GetFilter() device.PacketFilter
 	GetDevice() *device.FilteredDevice
 	GetWGDevice() *wgdevice.Device
-	GetStats(peerKey string) (configurer.WGStats, error)
+	GetStats() (map[string]configurer.WGStats, error)
 	GetNet() *netstack.Net
+	FullStats() (*configurer.Stats, error)
 }

client/internal/lazyconn/activity/listen_ip.go

@@ -0,0 +1,9 @@
+//go:build !linux || android
+
+package activity
+
+import "net"
+
+var (
+	listenIP = net.IP{127, 0, 0, 1}
+)

client/internal/lazyconn/activity/listen_ip_linux.go

@@ -0,0 +1,10 @@
+//go:build !android
+
+package activity
+
+import "net"
+
+var (
+	// use this ip to avoid eBPF proxy congestion
+	listenIP = net.IP{127, 0, 1, 1}
+)

client/internal/lazyconn/activity/listener.go

@@ -0,0 +1,106 @@
+package activity
+
+import (
+	"fmt"
+	"net"
+	"sync"
+	"sync/atomic"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+)
+
+// Listener it is not a thread safe implementation, do not call Close before ReadPackets. It will cause blocking
+type Listener struct {
+	wgIface  lazyconn.WGIface
+	peerCfg  lazyconn.PeerConfig
+	conn     *net.UDPConn
+	endpoint *net.UDPAddr
+	done     sync.Mutex
+
+	isClosed atomic.Bool // use to avoid error log when closing the listener
+}
+
+func NewListener(wgIface lazyconn.WGIface, cfg lazyconn.PeerConfig) (*Listener, error) {
+	d := &Listener{
+		wgIface: wgIface,
+		peerCfg: cfg,
+	}
+
+	conn, err := d.newConn()
+	if err != nil {
+		return nil, fmt.Errorf("failed to creating activity listener: %v", err)
+	}
+	d.conn = conn
+	d.endpoint = conn.LocalAddr().(*net.UDPAddr)
+
+	if err := d.createEndpoint(); err != nil {
+		return nil, err
+	}
+	d.done.Lock()
+	cfg.Log.Infof("created activity listener: %s", conn.LocalAddr().(*net.UDPAddr).String())
+	return d, nil
+}
+
+func (d *Listener) ReadPackets() {
+	for {
+		n, remoteAddr, err := d.conn.ReadFromUDP(make([]byte, 1))
+		if err != nil {
+			if d.isClosed.Load() {
+				d.peerCfg.Log.Debugf("exit from activity listener")
+			} else {
+				d.peerCfg.Log.Errorf("failed to read from activity listener: %s", err)
+			}
+			break
+		}
+
+		if n < 1 {
+			d.peerCfg.Log.Warnf("received %d bytes from %s, too short", n, remoteAddr)
+			continue
+		}
+		break
+	}
+
+	if err := d.removeEndpoint(); err != nil {
+		d.peerCfg.Log.Errorf("failed to remove endpoint: %s", err)
+	}
+
+	_ = d.conn.Close() // do not care err because some cases it will return "use of closed network connection"
+	d.done.Unlock()
+}
+
+func (d *Listener) Close() {
+	d.peerCfg.Log.Infof("closing listener: %s", d.conn.LocalAddr().String())
+	d.isClosed.Store(true)
+
+	if err := d.conn.Close(); err != nil {
+		d.peerCfg.Log.Errorf("failed to close UDP listener: %s", err)
+	}
+	d.done.Lock()
+}
+
+func (d *Listener) removeEndpoint() error {
+	d.peerCfg.Log.Debugf("removing lazy endpoint: %s", d.endpoint.String())
+	return d.wgIface.RemovePeer(d.peerCfg.PublicKey)
+}
+
+func (d *Listener) createEndpoint() error {
+	d.peerCfg.Log.Debugf("creating lazy endpoint: %s", d.endpoint.String())
+	return d.wgIface.UpdatePeer(d.peerCfg.PublicKey, d.peerCfg.AllowedIPs, 0, d.endpoint, nil)
+}
+
+func (d *Listener) newConn() (*net.UDPConn, error) {
+	addr := &net.UDPAddr{
+		Port: 0,
+		IP:   listenIP,
+	}
+
+	conn, err := net.ListenUDP("udp", addr)
+	if err != nil {
+		log.Errorf("failed to create activity listener on %s: %s", addr, err)
+		return nil, err
+	}
+
+	return conn, nil
+}

client/internal/lazyconn/activity/listener_test.go

@@ -0,0 +1,41 @@
+package activity
+
+import (
+	"testing"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+)
+
+func TestNewListener(t *testing.T) {
+	peer := &MocPeer{
+		PeerID: "examplePublicKey1",
+	}
+
+	cfg := lazyconn.PeerConfig{
+		PublicKey:  peer.PeerID,
+		PeerConnID: peer.ConnID(),
+		Log:        log.WithField("peer", "examplePublicKey1"),
+	}
+
+	l, err := NewListener(MocWGIface{}, cfg)
+	if err != nil {
+		t.Fatalf("failed to create listener: %v", err)
+	}
+
+	chanClosed := make(chan struct{})
+	go func() {
+		defer close(chanClosed)
+		l.ReadPackets()
+	}()
+
+	time.Sleep(1 * time.Second)
+	l.Close()
+
+	select {
+	case <-chanClosed:
+	case <-time.After(time.Second):
+	}
+}

client/internal/lazyconn/activity/manager.go

@@ -0,0 +1,95 @@
+package activity
+
+import (
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
+)
+
+type Manager struct {
+	OnActivityChan chan peerid.ConnID
+
+	wgIface lazyconn.WGIface
+
+	peers map[peerid.ConnID]*Listener
+	done  chan struct{}
+
+	mu sync.Mutex
+}
+
+func NewManager(wgIface lazyconn.WGIface) *Manager {
+	m := &Manager{
+		OnActivityChan: make(chan peerid.ConnID, 1),
+		wgIface:        wgIface,
+		peers:          make(map[peerid.ConnID]*Listener),
+		done:           make(chan struct{}),
+	}
+	return m
+}
+
+func (m *Manager) MonitorPeerActivity(peerCfg lazyconn.PeerConfig) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if _, ok := m.peers[peerCfg.PeerConnID]; ok {
+		log.Warnf("activity listener already exists for: %s", peerCfg.PublicKey)
+		return nil
+	}
+
+	listener, err := NewListener(m.wgIface, peerCfg)
+	if err != nil {
+		return err
+	}
+	m.peers[peerCfg.PeerConnID] = listener
+
+	go m.waitForTraffic(listener, peerCfg.PeerConnID)
+	return nil
+}
+
+func (m *Manager) RemovePeer(log *log.Entry, peerConnID peerid.ConnID) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	listener, ok := m.peers[peerConnID]
+	if !ok {
+		return
+	}
+	log.Debugf("removing activity listener")
+	delete(m.peers, peerConnID)
+	listener.Close()
+}
+
+func (m *Manager) Close() {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	close(m.done)
+	for peerID, listener := range m.peers {
+		delete(m.peers, peerID)
+		listener.Close()
+	}
+}
+
+func (m *Manager) waitForTraffic(listener *Listener, peerConnID peerid.ConnID) {
+	listener.ReadPackets()
+
+	m.mu.Lock()
+	if _, ok := m.peers[peerConnID]; !ok {
+		m.mu.Unlock()
+		return
+	}
+	delete(m.peers, peerConnID)
+	m.mu.Unlock()
+
+	m.notify(peerConnID)
+}
+
+func (m *Manager) notify(peerConnID peerid.ConnID) {
+	select {
+	case <-m.done:
+	case m.OnActivityChan <- peerConnID:
+	}
+}

client/internal/lazyconn/activity/manager_test.go

@@ -0,0 +1,162 @@
+package activity
+
+import (
+	"net"
+	"net/netip"
+	"testing"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
+)
+
+type MocPeer struct {
+	PeerID string
+}
+
+func (m *MocPeer) ConnID() peerid.ConnID {
+	return peerid.ConnID(m)
+}
+
+type MocWGIface struct {
+}
+
+func (m MocWGIface) RemovePeer(string) error {
+	return nil
+}
+
+func (m MocWGIface) UpdatePeer(string, []netip.Prefix, time.Duration, *net.UDPAddr, *wgtypes.Key) error {
+	return nil
+
+}
+
+func TestManager_MonitorPeerActivity(t *testing.T) {
+	mocWgInterface := &MocWGIface{}
+
+	peer1 := &MocPeer{
+		PeerID: "examplePublicKey1",
+	}
+	mgr := NewManager(mocWgInterface)
+	defer mgr.Close()
+	peerCfg1 := lazyconn.PeerConfig{
+		PublicKey:  peer1.PeerID,
+		PeerConnID: peer1.ConnID(),
+		Log:        log.WithField("peer", "examplePublicKey1"),
+	}
+
+	if err := mgr.MonitorPeerActivity(peerCfg1); err != nil {
+		t.Fatalf("failed to monitor peer activity: %v", err)
+	}
+
+	if err := trigger(mgr.peers[peerCfg1.PeerConnID].conn.LocalAddr().String()); err != nil {
+		t.Fatalf("failed to trigger activity: %v", err)
+	}
+
+	select {
+	case peerConnID := <-mgr.OnActivityChan:
+		if peerConnID != peerCfg1.PeerConnID {
+			t.Fatalf("unexpected peerConnID: %v", peerConnID)
+		}
+	case <-time.After(1 * time.Second):
+	}
+}
+
+func TestManager_RemovePeerActivity(t *testing.T) {
+	mocWgInterface := &MocWGIface{}
+
+	peer1 := &MocPeer{
+		PeerID: "examplePublicKey1",
+	}
+	mgr := NewManager(mocWgInterface)
+	defer mgr.Close()
+
+	peerCfg1 := lazyconn.PeerConfig{
+		PublicKey:  peer1.PeerID,
+		PeerConnID: peer1.ConnID(),
+		Log:        log.WithField("peer", "examplePublicKey1"),
+	}
+
+	if err := mgr.MonitorPeerActivity(peerCfg1); err != nil {
+		t.Fatalf("failed to monitor peer activity: %v", err)
+	}
+
+	addr := mgr.peers[peerCfg1.PeerConnID].conn.LocalAddr().String()
+
+	mgr.RemovePeer(peerCfg1.Log, peerCfg1.PeerConnID)
+
+	if err := trigger(addr); err != nil {
+		t.Fatalf("failed to trigger activity: %v", err)
+	}
+
+	select {
+	case <-mgr.OnActivityChan:
+		t.Fatal("should not have active activity")
+	case <-time.After(1 * time.Second):
+	}
+}
+
+func TestManager_MultiPeerActivity(t *testing.T) {
+	mocWgInterface := &MocWGIface{}
+
+	peer1 := &MocPeer{
+		PeerID: "examplePublicKey1",
+	}
+	mgr := NewManager(mocWgInterface)
+	defer mgr.Close()
+
+	peerCfg1 := lazyconn.PeerConfig{
+		PublicKey:  peer1.PeerID,
+		PeerConnID: peer1.ConnID(),
+		Log:        log.WithField("peer", "examplePublicKey1"),
+	}
+
+	peer2 := &MocPeer{}
+	peerCfg2 := lazyconn.PeerConfig{
+		PublicKey:  peer2.PeerID,
+		PeerConnID: peer2.ConnID(),
+		Log:        log.WithField("peer", "examplePublicKey2"),
+	}
+
+	if err := mgr.MonitorPeerActivity(peerCfg1); err != nil {
+		t.Fatalf("failed to monitor peer activity: %v", err)
+	}
+
+	if err := mgr.MonitorPeerActivity(peerCfg2); err != nil {
+		t.Fatalf("failed to monitor peer activity: %v", err)
+	}
+
+	if err := trigger(mgr.peers[peerCfg1.PeerConnID].conn.LocalAddr().String()); err != nil {
+		t.Fatalf("failed to trigger activity: %v", err)
+	}
+
+	if err := trigger(mgr.peers[peerCfg2.PeerConnID].conn.LocalAddr().String()); err != nil {
+		t.Fatalf("failed to trigger activity: %v", err)
+	}
+
+	for i := 0; i < 2; i++ {
+		select {
+		case <-mgr.OnActivityChan:
+		case <-time.After(1 * time.Second):
+			t.Fatal("timed out waiting for activity")
+		}
+	}
+}
+
+func trigger(addr string) error {
+	// Create a connection to the destination UDP address and port
+	conn, err := net.Dial("udp", addr)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	// Write the bytes to the UDP connection
+	_, err = conn.Write([]byte{0x01, 0x02, 0x03, 0x04, 0x05})
+	if err != nil {
+		return err
+	}
+	return nil
+}

client/internal/lazyconn/doc.go

@@ -0,0 +1,32 @@
+/*
+Package lazyconn provides mechanisms for managing lazy connections, which activate on demand to optimize resource usage and establish connections efficiently.
+
+## Overview
+
+The package includes a `Manager` component responsible for:
+- Managing lazy connections activated on-demand
+- Managing inactivity monitors for lazy connections (based on peer disconnection events)
+- Maintaining a list of excluded peers that should always have permanent connections
+- Handling remote peer connection initiatives based on peer signaling
+
+## Thread-Safe Operations
+
+The `Manager` ensures thread safety across multiple operations, categorized by caller:
+
+- **Engine (single goroutine)**:
+  - `AddPeer`: Adds a peer to the connection manager.
+  - `RemovePeer`: Removes a peer from the connection manager.
+  - `ActivatePeer`: Activates a lazy connection for a peer. This come from Signal client
+  - `ExcludePeer`: Marks peers for a permanent connection. Like router peers and other peers that should always have a connection.
+
+- **Connection Dispatcher (any peer routine)**:
+  - `onPeerConnected`: Suspend the inactivity monitor for an active peer connection.
+  - `onPeerDisconnected`: Starts the inactivity monitor for a disconnected peer.
+
+- **Activity Manager**:
+  - `onPeerActivity`: Run peer.Open(context).
+
+- **Inactivity Monitor**:
+  - `onPeerInactivityTimedOut`: Close peer connection and restart activity monitor.
+*/
+package lazyconn

client/internal/lazyconn/env.go

@@ -0,0 +1,26 @@
+package lazyconn
+
+import (
+	"os"
+	"strconv"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	EnvEnableLazyConn      = "NB_ENABLE_EXPERIMENTAL_LAZY_CONN"
+	EnvInactivityThreshold = "NB_LAZY_CONN_INACTIVITY_THRESHOLD"
+)
+
+func IsLazyConnEnabledByEnv() bool {
+	val := os.Getenv(EnvEnableLazyConn)
+	if val == "" {
+		return false
+	}
+	enabled, err := strconv.ParseBool(val)
+	if err != nil {
+		log.Warnf("failed to parse %s: %v", EnvEnableLazyConn, err)
+		return false
+	}
+	return enabled
+}

client/internal/lazyconn/inactivity/inactivity.go

@@ -0,0 +1,70 @@
+package inactivity
+
+import (
+	"context"
+	"time"
+
+	peer "github.com/netbirdio/netbird/client/internal/peer/id"
+)
+
+const (
+	DefaultInactivityThreshold = 60 * time.Minute // idle after 1 hour inactivity
+	MinimumInactivityThreshold = 3 * time.Minute
+)
+
+type Monitor struct {
+	id                  peer.ConnID
+	timer               *time.Timer
+	cancel              context.CancelFunc
+	inactivityThreshold time.Duration
+}
+
+func NewInactivityMonitor(peerID peer.ConnID, threshold time.Duration) *Monitor {
+	i := &Monitor{
+		id:                  peerID,
+		timer:               time.NewTimer(0),
+		inactivityThreshold: threshold,
+	}
+	i.timer.Stop()
+	return i
+}
+
+func (i *Monitor) Start(ctx context.Context, timeoutChan chan peer.ConnID) {
+	i.timer.Reset(i.inactivityThreshold)
+	defer i.timer.Stop()
+
+	ctx, i.cancel = context.WithCancel(ctx)
+	defer func() {
+		defer i.cancel()
+		select {
+		case <-i.timer.C:
+		default:
+		}
+	}()
+
+	select {
+	case <-i.timer.C:
+		select {
+		case timeoutChan <- i.id:
+		case <-ctx.Done():
+			return
+		}
+	case <-ctx.Done():
+		return
+	}
+}
+
+func (i *Monitor) Stop() {
+	if i.cancel == nil {
+		return
+	}
+	i.cancel()
+}
+
+func (i *Monitor) PauseTimer() {
+	i.timer.Stop()
+}
+
+func (i *Monitor) ResetTimer() {
+	i.timer.Reset(i.inactivityThreshold)
+}

client/internal/lazyconn/inactivity/inactivity_test.go

@@ -0,0 +1,156 @@
+package inactivity
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
+)
+
+type MocPeer struct {
+}
+
+func (m *MocPeer) ConnID() peerid.ConnID {
+	return peerid.ConnID(m)
+}
+
+func TestInactivityMonitor(t *testing.T) {
+	tCtx, testTimeoutCancel := context.WithTimeout(context.Background(), time.Second*5)
+	defer testTimeoutCancel()
+
+	p := &MocPeer{}
+	im := NewInactivityMonitor(p.ConnID(), time.Second*2)
+
+	timeoutChan := make(chan peerid.ConnID)
+
+	exitChan := make(chan struct{})
+
+	go func() {
+		defer close(exitChan)
+		im.Start(tCtx, timeoutChan)
+	}()
+
+	select {
+	case <-timeoutChan:
+	case <-tCtx.Done():
+		t.Fatal("timeout")
+	}
+
+	select {
+	case <-exitChan:
+	case <-tCtx.Done():
+		t.Fatal("timeout")
+	}
+}
+
+func TestReuseInactivityMonitor(t *testing.T) {
+	p := &MocPeer{}
+	im := NewInactivityMonitor(p.ConnID(), time.Second*2)
+
+	timeoutChan := make(chan peerid.ConnID)
+
+	for i := 2; i > 0; i-- {
+		exitChan := make(chan struct{})
+
+		testTimeoutCtx, testTimeoutCancel := context.WithTimeout(context.Background(), time.Second*5)
+
+		go func() {
+			defer close(exitChan)
+			im.Start(testTimeoutCtx, timeoutChan)
+		}()
+
+		select {
+		case <-timeoutChan:
+		case <-testTimeoutCtx.Done():
+			t.Fatal("timeout")
+		}
+
+		select {
+		case <-exitChan:
+		case <-testTimeoutCtx.Done():
+			t.Fatal("timeout")
+		}
+		testTimeoutCancel()
+	}
+}
+
+func TestStopInactivityMonitor(t *testing.T) {
+	tCtx, testTimeoutCancel := context.WithTimeout(context.Background(), time.Second*5)
+	defer testTimeoutCancel()
+
+	p := &MocPeer{}
+	im := NewInactivityMonitor(p.ConnID(), DefaultInactivityThreshold)
+
+	timeoutChan := make(chan peerid.ConnID)
+
+	exitChan := make(chan struct{})
+
+	go func() {
+		defer close(exitChan)
+		im.Start(tCtx, timeoutChan)
+	}()
+
+	go func() {
+		time.Sleep(3 * time.Second)
+		im.Stop()
+	}()
+
+	select {
+	case <-timeoutChan:
+		t.Fatal("unexpected timeout")
+	case <-exitChan:
+	case <-tCtx.Done():
+		t.Fatal("timeout")
+	}
+}
+
+func TestPauseInactivityMonitor(t *testing.T) {
+	tCtx, testTimeoutCancel := context.WithTimeout(context.Background(), time.Second*10)
+	defer testTimeoutCancel()
+
+	p := &MocPeer{}
+	trashHold := time.Second * 3
+	im := NewInactivityMonitor(p.ConnID(), trashHold)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	timeoutChan := make(chan peerid.ConnID)
+
+	exitChan := make(chan struct{})
+
+	go func() {
+		defer close(exitChan)
+		im.Start(ctx, timeoutChan)
+	}()
+
+	time.Sleep(1 * time.Second) // grant time to start the monitor
+	im.PauseTimer()
+
+	// check to do not receive timeout
+	thresholdCtx, thresholdCancel := context.WithTimeout(context.Background(), trashHold+time.Second)
+	defer thresholdCancel()
+	select {
+	case <-exitChan:
+		t.Fatal("unexpected exit")
+	case <-timeoutChan:
+		t.Fatal("unexpected timeout")
+	case <-thresholdCtx.Done():
+		// test ok
+	case <-tCtx.Done():
+		t.Fatal("test timed out")
+	}
+
+	// test reset timer
+	im.ResetTimer()
+
+	select {
+	case <-tCtx.Done():
+		t.Fatal("test timed out")
+	case <-exitChan:
+		t.Fatal("unexpected exit")
+	case <-timeoutChan:
+		// expected timeout
+	}
+}

client/internal/lazyconn/manager/manager.go

@@ -0,0 +1,404 @@
+package manager
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+	"github.com/netbirdio/netbird/client/internal/lazyconn/activity"
+	"github.com/netbirdio/netbird/client/internal/lazyconn/inactivity"
+	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
+	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
+	"github.com/netbirdio/netbird/client/internal/peerstore"
+)
+
+const (
+	watcherActivity watcherType = iota
+	watcherInactivity
+)
+
+type watcherType int
+
+type managedPeer struct {
+	peerCfg         *lazyconn.PeerConfig
+	expectedWatcher watcherType
+}
+
+type Config struct {
+	InactivityThreshold *time.Duration
+}
+
+// Manager manages lazy connections
+// It is responsible for:
+// - Managing lazy connections activated on-demand
+// - Managing inactivity monitors for lazy connections (based on peer disconnection events)
+// - Maintaining a list of excluded peers that should always have permanent connections
+// - Handling connection establishment based on peer signaling
+type Manager struct {
+	peerStore           *peerstore.Store
+	connStateDispatcher *dispatcher.ConnectionDispatcher
+	inactivityThreshold time.Duration
+
+	connStateListener    *dispatcher.ConnectionListener
+	managedPeers         map[string]*lazyconn.PeerConfig
+	managedPeersByConnID map[peerid.ConnID]*managedPeer
+	excludes             map[string]lazyconn.PeerConfig
+	managedPeersMu       sync.Mutex
+
+	activityManager    *activity.Manager
+	inactivityMonitors map[peerid.ConnID]*inactivity.Monitor
+
+	cancel     context.CancelFunc
+	onInactive chan peerid.ConnID
+}
+
+func NewManager(config Config, peerStore *peerstore.Store, wgIface lazyconn.WGIface, connStateDispatcher *dispatcher.ConnectionDispatcher) *Manager {
+	log.Infof("setup lazy connection service")
+	m := &Manager{
+		peerStore:            peerStore,
+		connStateDispatcher:  connStateDispatcher,
+		inactivityThreshold:  inactivity.DefaultInactivityThreshold,
+		managedPeers:         make(map[string]*lazyconn.PeerConfig),
+		managedPeersByConnID: make(map[peerid.ConnID]*managedPeer),
+		excludes:             make(map[string]lazyconn.PeerConfig),
+		activityManager:      activity.NewManager(wgIface),
+		inactivityMonitors:   make(map[peerid.ConnID]*inactivity.Monitor),
+		onInactive:           make(chan peerid.ConnID),
+	}
+
+	if config.InactivityThreshold != nil {
+		if *config.InactivityThreshold >= inactivity.MinimumInactivityThreshold {
+			m.inactivityThreshold = *config.InactivityThreshold
+		} else {
+			log.Warnf("inactivity threshold is too low, using %v", m.inactivityThreshold)
+		}
+	}
+
+	m.connStateListener = &dispatcher.ConnectionListener{
+		OnConnected:    m.onPeerConnected,
+		OnDisconnected: m.onPeerDisconnected,
+	}
+
+	connStateDispatcher.AddListener(m.connStateListener)
+
+	return m
+}
+
+// Start starts the manager and listens for peer activity and inactivity events
+func (m *Manager) Start(ctx context.Context) {
+	defer m.close()
+
+	ctx, m.cancel = context.WithCancel(ctx)
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case peerConnID := <-m.activityManager.OnActivityChan:
+			m.onPeerActivity(ctx, peerConnID)
+		case peerConnID := <-m.onInactive:
+			m.onPeerInactivityTimedOut(peerConnID)
+		}
+	}
+}
+
+// ExcludePeer marks peers for a permanent connection
+// It removes peers from the managed list if they are added to the exclude list
+// Adds them back to the managed list and start the inactivity listener if they are removed from the exclude list. In
+// this case, we suppose that the connection status is connected or connecting.
+// If the peer is not exists yet in the managed list then the responsibility is the upper layer to call the AddPeer function
+func (m *Manager) ExcludePeer(ctx context.Context, peerConfigs []lazyconn.PeerConfig) []string {
+	m.managedPeersMu.Lock()
+	defer m.managedPeersMu.Unlock()
+
+	added := make([]string, 0)
+	excludes := make(map[string]lazyconn.PeerConfig, len(peerConfigs))
+
+	for _, peerCfg := range peerConfigs {
+		log.Infof("update excluded lazy connection list with peer: %s", peerCfg.PublicKey)
+		excludes[peerCfg.PublicKey] = peerCfg
+	}
+
+	// if a peer is newly added to the exclude list, remove from the managed peers list
+	for pubKey, peerCfg := range excludes {
+		if _, wasExcluded := m.excludes[pubKey]; wasExcluded {
+			continue
+		}
+
+		added = append(added, pubKey)
+		peerCfg.Log.Infof("peer newly added to lazy connection exclude list")
+		m.removePeer(pubKey)
+	}
+
+	// if a peer has been removed from exclude list then it should be added to the managed peers
+	for pubKey, peerCfg := range m.excludes {
+		if _, stillExcluded := excludes[pubKey]; stillExcluded {
+			continue
+		}
+
+		peerCfg.Log.Infof("peer removed from lazy connection exclude list")
+
+		if err := m.addActivePeer(ctx, peerCfg); err != nil {
+			log.Errorf("failed to add peer to lazy connection manager: %s", err)
+			continue
+		}
+	}
+
+	m.excludes = excludes
+	return added
+}
+
+func (m *Manager) AddPeer(peerCfg lazyconn.PeerConfig) (bool, error) {
+	m.managedPeersMu.Lock()
+	defer m.managedPeersMu.Unlock()
+
+	peerCfg.Log.Debugf("adding peer to lazy connection manager")
+
+	_, exists := m.excludes[peerCfg.PublicKey]
+	if exists {
+		return true, nil
+	}
+
+	if _, ok := m.managedPeers[peerCfg.PublicKey]; ok {
+		peerCfg.Log.Warnf("peer already managed")
+		return false, nil
+	}
+
+	if err := m.activityManager.MonitorPeerActivity(peerCfg); err != nil {
+		return false, err
+	}
+
+	im := inactivity.NewInactivityMonitor(peerCfg.PeerConnID, m.inactivityThreshold)
+	m.inactivityMonitors[peerCfg.PeerConnID] = im
+
+	m.managedPeers[peerCfg.PublicKey] = &peerCfg
+	m.managedPeersByConnID[peerCfg.PeerConnID] = &managedPeer{
+		peerCfg:         &peerCfg,
+		expectedWatcher: watcherActivity,
+	}
+	return false, nil
+}
+
+// AddActivePeers adds a list of peers to the lazy connection manager
+// suppose these peers was in connected or in connecting states
+func (m *Manager) AddActivePeers(ctx context.Context, peerCfg []lazyconn.PeerConfig) error {
+	m.managedPeersMu.Lock()
+	defer m.managedPeersMu.Unlock()
+
+	for _, cfg := range peerCfg {
+		if _, ok := m.managedPeers[cfg.PublicKey]; ok {
+			cfg.Log.Errorf("peer already managed")
+			continue
+		}
+
+		if err := m.addActivePeer(ctx, cfg); err != nil {
+			cfg.Log.Errorf("failed to add peer to lazy connection manager: %v", err)
+			return err
+		}
+	}
+	return nil
+}
+
+func (m *Manager) RemovePeer(peerID string) {
+	m.managedPeersMu.Lock()
+	defer m.managedPeersMu.Unlock()
+
+	m.removePeer(peerID)
+}
+
+// ActivatePeer activates a peer connection when a signal message is received
+func (m *Manager) ActivatePeer(ctx context.Context, peerID string) (found bool) {
+	m.managedPeersMu.Lock()
+	defer m.managedPeersMu.Unlock()
+
+	cfg, ok := m.managedPeers[peerID]
+	if !ok {
+		return false
+	}
+
+	mp, ok := m.managedPeersByConnID[cfg.PeerConnID]
+	if !ok {
+		return false
+	}
+
+	// signal messages coming continuously after success activation, with this avoid the multiple activation
+	if mp.expectedWatcher == watcherInactivity {
+		return false
+	}
+
+	mp.expectedWatcher = watcherInactivity
+
+	m.activityManager.RemovePeer(cfg.Log, cfg.PeerConnID)
+
+	im, ok := m.inactivityMonitors[cfg.PeerConnID]
+	if !ok {
+		cfg.Log.Errorf("inactivity monitor not found for peer")
+		return false
+	}
+
+	mp.peerCfg.Log.Infof("starting inactivity monitor")
+	go im.Start(ctx, m.onInactive)
+
+	return true
+}
+
+func (m *Manager) addActivePeer(ctx context.Context, peerCfg lazyconn.PeerConfig) error {
+	if _, ok := m.managedPeers[peerCfg.PublicKey]; ok {
+		peerCfg.Log.Warnf("peer already managed")
+		return nil
+	}
+
+	im := inactivity.NewInactivityMonitor(peerCfg.PeerConnID, m.inactivityThreshold)
+	m.inactivityMonitors[peerCfg.PeerConnID] = im
+
+	m.managedPeers[peerCfg.PublicKey] = &peerCfg
+	m.managedPeersByConnID[peerCfg.PeerConnID] = &managedPeer{
+		peerCfg:         &peerCfg,
+		expectedWatcher: watcherInactivity,
+	}
+
+	peerCfg.Log.Infof("starting inactivity monitor on peer that has been removed from exclude list")
+	go im.Start(ctx, m.onInactive)
+	return nil
+}
+
+func (m *Manager) removePeer(peerID string) {
+	cfg, ok := m.managedPeers[peerID]
+	if !ok {
+		return
+	}
+
+	cfg.Log.Infof("removing lazy peer")
+
+	if im, ok := m.inactivityMonitors[cfg.PeerConnID]; ok {
+		im.Stop()
+		delete(m.inactivityMonitors, cfg.PeerConnID)
+		cfg.Log.Debugf("inactivity monitor stopped")
+	}
+
+	m.activityManager.RemovePeer(cfg.Log, cfg.PeerConnID)
+	delete(m.managedPeers, peerID)
+	delete(m.managedPeersByConnID, cfg.PeerConnID)
+}
+
+func (m *Manager) close() {
+	m.managedPeersMu.Lock()
+	defer m.managedPeersMu.Unlock()
+
+	m.cancel()
+
+	m.connStateDispatcher.RemoveListener(m.connStateListener)
+	m.activityManager.Close()
+	for _, iw := range m.inactivityMonitors {
+		iw.Stop()
+	}
+	m.inactivityMonitors = make(map[peerid.ConnID]*inactivity.Monitor)
+	m.managedPeers = make(map[string]*lazyconn.PeerConfig)
+	m.managedPeersByConnID = make(map[peerid.ConnID]*managedPeer)
+	log.Infof("lazy connection manager closed")
+}
+
+func (m *Manager) onPeerActivity(ctx context.Context, peerConnID peerid.ConnID) {
+	m.managedPeersMu.Lock()
+	defer m.managedPeersMu.Unlock()
+
+	mp, ok := m.managedPeersByConnID[peerConnID]
+	if !ok {
+		log.Errorf("peer not found by conn id: %v", peerConnID)
+		return
+	}
+
+	if mp.expectedWatcher != watcherActivity {
+		mp.peerCfg.Log.Warnf("ignore activity event")
+		return
+	}
+
+	mp.peerCfg.Log.Infof("detected peer activity")
+
+	mp.expectedWatcher = watcherInactivity
+
+	mp.peerCfg.Log.Infof("starting inactivity monitor")
+	go m.inactivityMonitors[peerConnID].Start(ctx, m.onInactive)
+
+	m.peerStore.PeerConnOpen(ctx, mp.peerCfg.PublicKey)
+}
+
+func (m *Manager) onPeerInactivityTimedOut(peerConnID peerid.ConnID) {
+	m.managedPeersMu.Lock()
+	defer m.managedPeersMu.Unlock()
+
+	mp, ok := m.managedPeersByConnID[peerConnID]
+	if !ok {
+		log.Errorf("peer not found by id: %v", peerConnID)
+		return
+	}
+
+	if mp.expectedWatcher != watcherInactivity {
+		mp.peerCfg.Log.Warnf("ignore inactivity event")
+		return
+	}
+
+	mp.peerCfg.Log.Infof("connection timed out")
+
+	// this is blocking operation, potentially can be optimized
+	m.peerStore.PeerConnClose(mp.peerCfg.PublicKey)
+
+	mp.peerCfg.Log.Infof("start activity monitor")
+
+	mp.expectedWatcher = watcherActivity
+
+	// just in case free up
+	m.inactivityMonitors[peerConnID].PauseTimer()
+
+	if err := m.activityManager.MonitorPeerActivity(*mp.peerCfg); err != nil {
+		mp.peerCfg.Log.Errorf("failed to create activity monitor: %v", err)
+		return
+	}
+}
+
+func (m *Manager) onPeerConnected(peerConnID peerid.ConnID) {
+	m.managedPeersMu.Lock()
+	defer m.managedPeersMu.Unlock()
+
+	mp, ok := m.managedPeersByConnID[peerConnID]
+	if !ok {
+		return
+	}
+
+	if mp.expectedWatcher != watcherInactivity {
+		return
+	}
+
+	iw, ok := m.inactivityMonitors[mp.peerCfg.PeerConnID]
+	if !ok {
+		mp.peerCfg.Log.Errorf("inactivity monitor not found for peer")
+		return
+	}
+
+	mp.peerCfg.Log.Infof("peer connected, pausing inactivity monitor while connection is not disconnected")
+	iw.PauseTimer()
+}
+
+func (m *Manager) onPeerDisconnected(peerConnID peerid.ConnID) {
+	m.managedPeersMu.Lock()
+	defer m.managedPeersMu.Unlock()
+
+	mp, ok := m.managedPeersByConnID[peerConnID]
+	if !ok {
+		return
+	}
+
+	if mp.expectedWatcher != watcherInactivity {
+		return
+	}
+
+	iw, ok := m.inactivityMonitors[mp.peerCfg.PeerConnID]
+	if !ok {
+		return
+	}
+
+	mp.peerCfg.Log.Infof("reset inactivity monitor timer")
+	iw.ResetTimer()
+}

client/internal/lazyconn/peercfg.go

@@ -0,0 +1,16 @@
+package lazyconn
+
+import (
+	"net/netip"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/peer/id"
+)
+
+type PeerConfig struct {
+	PublicKey  string
+	AllowedIPs []netip.Prefix
+	PeerConnID id.ConnID
+	Log        *log.Entry
+}

client/internal/lazyconn/support.go

@@ -0,0 +1,41 @@
+package lazyconn
+
+import (
+	"strings"
+
+	"github.com/hashicorp/go-version"
+)
+
+var (
+	minVersion = version.Must(version.NewVersion("0.45.0"))
+)
+
+func IsSupported(agentVersion string) bool {
+	if agentVersion == "development" {
+		return true
+	}
+
+	// filter out versions like this: a6c5960, a7d5c522, d47be154
+	if !strings.Contains(agentVersion, ".") {
+		return false
+	}
+
+	normalizedVersion := normalizeVersion(agentVersion)
+	inputVer, err := version.NewVersion(normalizedVersion)
+	if err != nil {
+		return false
+	}
+
+	return inputVer.GreaterThanOrEqual(minVersion)
+}
+
+func normalizeVersion(version string) string {
+	// Remove prefixes like 'v' or 'a'
+	if len(version) > 0 && (version[0] == 'v' || version[0] == 'a') {
+		version = version[1:]
+	}
+
+	// Remove any suffixes like '-dirty', '-dev', '-SNAPSHOT', etc.
+	parts := strings.Split(version, "-")
+	return parts[0]
+}

client/internal/lazyconn/support_test.go

@@ -0,0 +1,31 @@
+package lazyconn
+
+import "testing"
+
+func TestIsSupported(t *testing.T) {
+	tests := []struct {
+		version string
+		want    bool
+	}{
+		{"development", true},
+		{"0.45.0", true},
+		{"v0.45.0", true},
+		{"0.45.1", true},
+		{"0.45.1-SNAPSHOT-559e6731", true},
+		{"v0.45.1-dev", true},
+		{"a7d5c522", false},
+		{"0.9.6", false},
+		{"0.9.6-SNAPSHOT", false},
+		{"0.9.6-SNAPSHOT-2033650", false},
+		{"meta_wt_version", false},
+		{"v0.31.1-dev", false},
+		{"", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.version, func(t *testing.T) {
+			if got := IsSupported(tt.version); got != tt.want {
+				t.Errorf("IsSupported() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}